centos服务器搭建https

一、环境

OS：CentOS Linux release 8.2.2004 (Core) 

硬件：某外网云服务器虚拟机

二、安装命令

1、安装nginx

yum install nginx

2、安装签发证书

在特定文件夹下（$dir）执行以下命令，中间会录入证书信息输入随机数即可，但密码输入的地方要记住密码。

****生成服务端私钥****：
openssl genrsa -out server.key 2048
****生成服务端公钥****：
openssl rsa -in server.key -pubout -out server.pem
****生成客户端私钥****：
openssl genrsa -out client.key 2048
****生成客户端公钥****:
openssl rsa -in client.key -pubout -out client.pem
****生成CA证书****：
openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt

生成客户端服务端证书：
服务端：
openssl req -new -key server.key -out server.csr
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
客户端：
openssl req -new -key client.key -out client.csr
向CA申请签名：
openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt

3、配置nginx

执行nginx命令显示其配置文件地址为“/etc/nginx/nginx.conf”：

nginx -h
nginx version: nginx/1.14.1
Usage: nginx [-?hvVtTq] [-s signal] [-c filename] [-p prefix] [-g directives]

Options:
  -?,-h         : this help
  -v            : show version and exit
  -V            : show version and configure options then exit
  -t            : test configuration and exit
  -T            : test configuration, dump it and exit
  -q            : suppress non-error messages during configuration testing
  -s signal     : send signal to a master process: stop, quit, reopen, reload
  -p prefix     : set prefix path (default: /usr/share/nginx/)
  -c filename   : set configuration file (default: /etc/nginx/nginx.conf)
  -g directives : set global directives out of configuration file

使用vim命令修改配置文件如下,注意将整数存放位置的地址修改为上面签发证书的生成地址。这里使用的是/root目录，配置后使用命令测试配置是否正确。

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
       listen       443 ssl;
       server_name  localhost;
       ssl_certificate      /root/server.crt;  #放置服务器证书的目录
       ssl_certificate_key  /root/server.key;  #放置服务器私钥的目录
       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;

        # Load configuration files for the default server block.

        location / {
        proxy_pass   http://127.0.0.1:8887;
        proxy_set_header Host $host;
                     proxy_set_header X-Real-IP $remote_addr;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
}

4、测试https

(1)启动nginx：

nginx -c /etc/nginx/nginx.conf

(2)启动python3的轻量级http服务

python3 -m http.server 8887

(3)使用程序访问

import requests

a=requests.get('https://x.x.x.x/',verify=False) #设置不验证证书
print(a.text)

使用浏览器访问时需将证书添加到系统。

 

参考文档：https://www.jianshu.com/p/57066821b863