Nginx配置Https秘钥生成

系统环境

# nginx 版本
nginx -V
nginx version: nginx/1.18.0 (Ubuntu)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --with-http_ssl_module  # 需要包含才支持

# openssl 版本
openssl version
OpenSSL 1.1.1f  31 Mar 2020

 

Https秘钥生成

主要命令

openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl rsa -in server.key.org -out server.key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

执行脚本

mkdir -p /etc/nginx/ssl
cd /etc/nginx/ssl
# 生成 server.key
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
...................+++++
.............................................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:  # 输入密码
Verifying - Enter pass phrase for server.key:  # 确认密码

# 生成 server.csr
openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:  # 输入 server.key 的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN  # 输入国家
State or Province Name (full name) [Some-State]:GuangDong  # 输入省份
Locality Name (eg, city) []:ZhuHai  # 输入城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:com # 输入组织名称
Organizational Unit Name (eg, section) []:  # 直接回车
Common Name (e.g. server FQDN or YOUR name) []:  # 直接回车
Email Address []:123  # 输入邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  # 直接回车
An optional company name []:  # 直接回车

cp server.key server.key.org  # 备份一下 server.key
openssl rsa -in server.key.org -out server.key  # 生成无秘钥 server.key
Enter pass phrase for server.key.org:  # 输入 server.key 的密码
writing RSA key
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=C = Cn, ST = GuangDong, L = ZhuHai, O = com, emailAddress = 123
Getting Private key

ls
server.crt  server.csr  server.key  server.key.org

 

配置Nginx

配置80端口和443端口

server {
    listen 80;
    location = / {
        proxy_pass http://localhost:7080/index.html;
    }
    location / {
        proxy_pass http://localhost:7080;
    } 
}
server {
    listen 443 ssl;
    ssl_certificate     ssl/server.crt;
    ssl_certificate_key ssl/server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers   on;
    location = / {
            proxy_pass http://localhost:7080/index.html;
        }
    location / {
            proxy_pass http://localhost:7080;
    }

}

 通过浏览器访问

http://localhost/index.html

https://localhost/index.html