RedHat 6.6下安装nginx,配置HTTPS

1、安装依赖包

yum -y install pcre-devel openssl-devel zlib-devel

2、下载nginx安装包到服务器上,当前使用版本nginx-1.15.5.tar.gz当前使用版本

wget http://nginx.org/download/nginx-1.15.5.tar.gz
tar -xvf nginx-1.15.5.tar.gz
cd nginx-1.15.5.tar.gz
./configure --sbin-path=/usr/local/sbin --with-http_stub_status_module --with-http_ssl_module --with-threads --with-stream
make -j2
make install

 3、配置nginx.conf,设置http的反向代理

server {
        listen    80;
        server_name  192.168.1.100:80;
        location / {
            root   html;
            index  index.html index.htm;
        }
        location /java {
            proxy_pass   http://192.168.1.101:8090/java;
        }
    }

 nginx -t 检查配置文件,确认配置文件无错之后,启动nginx,如果提示配置文件不存在可以加-C参数指定配置文件位置

4、与tomcat配置https请求,tomcat利用keystore生成证书

keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keySize 4096 -keystore ./cert/.keystore
按照要求输入相关信息,假设密码为123456

#编辑tomcat conf目录下的人server.xml文件,放开Define a SSL HTTP/1.1 Connector on port 8443这段注释下的HTTPS配置 
#添加秘钥文件及密码,最后配置大致如下
     <Connector port="8445" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/cert/.keystore" keystorePass="123456"/>

 如需校验对方的证书,可以将对方证书导入第4步中的keystore 

keytool -import -v -file /ias.cer -keystore /conf/.keystore 并修改server.xml文件,加入“truststoreFile”及“truststorePass”配置项,最后配置大概如下

     <Connector port="8445" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreFile="/cert/.keystore" keystorePass="123456"
               truststoreFile="/cert/.keystore" truststorePass="123456"/>

 5、nginx配置https证书

 

mkdir /cert
cd /cert
openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
# 创建服务器私钥
openssl genrsa -out server.key 4096
#创建签名请求的CSR证书
openssl req -new -key server.key -out server.csr

cp server.key server.key.org

  openssl rsa -in server.key.org -out server.key

#标记证书使用上述私钥和CSR
openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt


#nginx https配置
server {
    listen 443 ssl;
    server_name 192.168.1.100:443;
    ssl_certificate /cert/server.crt;
    ssl_certificate_key /cert/server.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    
    location /java {
        proxy_pass https://192.168.1.101/javatest;
    }
}

 

posted @ 2018-10-25 13:49  今夜通宵  阅读(830)  评论(0编辑  收藏  举报