RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)
以RedHat7(64bit)平台为例
如果RedHat源没法用,可以使用EPEL源
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum makecache
# yum install gcc --enablerepo=epel (指定使用epel源)
IP信息清单:
Nginx_Master: 192.168.136.201 提供负载均衡
Nginx_BackUp: 192.168.136.202 负载均衡备机
Nginx_VIP: 192.168.136.200 网站的 VIP 地址(虚拟 IP)
1.安装Keepalived(Nginx主从双机热备)
- 安装依赖库
# yum install -y wget gcc openssl-devel popt-devel - 下载解压Keepalived
# cd /usr/local/src
# wget http://www.keepalived.org/software/keepalived-1.2.19.tar.gz
# tar -zxvf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19 - 编译安装Keepalived
# ./configure --sysconf=/etc
# make && make install
# ln -s /usr/local/sbin/keepalived /usr/sbin/keepalived - 修改配置文件
# vi /etc/keepalived/keepalived.conf
主Nginx server上的keepalived.conf文件
! Configuration File for keepalived global_defs { notification_email { admin@example.com } notification_email_from admin@example.com smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id LVS_DEVEL } vrrp_script check_run { script "/usr/local/bin/check_nginx.sh" interval 2
weight 2 } vrrp_instance VI_1 { state MASTER interface eno16777728 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } track_script { check_run } virtual_ipaddress { 192.168.136.200 } }备Nginx server上的keepalived.conf文件
! Configuration File for keepalived global_defs { notification_email { admin@example.com } notification_email_from admin@example.com smtp_server 127.0.0.1 smtp_connect_timeout 30 router_id LVS_DEVEL } vrrp_script check_run { script "/usr/local/bin/check_nginx.sh" interval 5 } vrrp_instance VI_1 { state BACKUP interface eno16777728 virtual_router_id 51 priority 99 advert_int 1 authentication { auth_type PASS auth_pass 1111 } track_script { check_run } virtual_ipaddress { 192.168.136.200 } }# vi /usr/local/bin/check_nginx.sh
# chmod +x /usr/local/bin/check_nginx.sh#!/bin/bash if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ] then service nginx start sleep 5 if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ] then service keepalived stop fi fi - 设置Keepalived服务开机自启动并启动服务
# chkconfig keepalived on
# service keepalived start
2.安装Nginx代理服务器安步骤
- 安装jemalloc(更好的内存管理)
# yum -y install bzip2
# cd /usr/local/src # wget http://www.canonware.com/download/jemalloc/jemalloc-4.0.4.tar.bz2 # tar -jxvf jemalloc-4.0.4.tar.bz2 && cd jemalloc-4.0.4 # ./configure # make && make install # echo '/usr/local/lib' > /etc/ld.so.conf.d/local.conf # ldconfig - lua-nginx-module模块(Nginx支持lua语法的模块)
lua-nginx-module来自大牛agentzh的开源项目,在Nginx中嵌入Lua语言,使之可以支持强大Lua语法
1. 下载LuaJIT2.0并安装 # cd /usr/local/src # wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz # tar -zxvf LuaJIT-2.0.4.tar.gz && cd LuaJIT-2.0.4 # make && make install
# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.22. 导入环境变量 # export LUAJIT_LIB=/usr/local/lib # export LUAJIT_INC=/usr/local/include/luajit-2.03. 下载并解压ngx_devel_kit和lua-nginx-module
# cd /usr/local/src
# curl -L https://codeload.github.com/simpl/ngx_devel_kit/tar.gz/v0.2.19 -o ngx_devel_kit-0.2.19.tar.gz
# tar -zxvf ngx_devel_kit-0.2.19.tar.gz # curl -L https://codeload.github.com/openresty/lua-nginx-module/tar.gz/v0.9.20rc2 -o lua-nginx-module-0.9.20rc2.tar.gz
# tar -zxvf lua-nginx-module-0.9.20rc2.tar.gz - ngx_cache_purge模块(Nginx清除缓存的模块)
# cd /usr/local/src # wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz # tar -zxvf ngx_cache_purge-2.3.tar.gz
- 安装Nginx
使用以下命令确认Nginx的SNI支持是否开启了:# yum -y install pcre-devel openssl-devel zlib-devel
# wget http://nginx.org/download/nginx-1.9.9.tar.gz # tar -zxvf nginx-1.9.9.tar.gz && cd nginx-1.9.9 # ./configure \ --sbin-path=/usr/local/nginx/nginx \--pid-path=/var/run/nginx.pid \ --user=nginx \ --group=nginx \
--http-client-body-temp-path=/usr/local/nginx/cache/client_body_temp \
--http-proxy-temp-path=/usr/local/nginx/cache/proxy_temp \
--http-fastcgi-temp-path=/usr/local/nginx/cache/fastcgi_temp \
--http-uwsgi-temp-path=/usr/local/nginx/cache/uwsgi_temp \
--http-scgi-temp-path=/usr/local/nginx/cache/scgi_temp \ --with-http_ssl_module \ --with-http_stub_status_module \ --with-threads \ --with-stream \ --with-stream_ssl_module \ --with-ipv6 \ --with-http_v2_module \ --add-module=../ngx_cache_purge-2.3 \ --add-module=../lua-nginx-module-0.9.20rc2 \ --add-module=../ngx_devel_kit-0.2.19 \ --with-ld-opt='-ljemalloc' \ --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
# make -j2 && make install
# mkdir /usr/local/nginx/cache
# ln -s /usr/local/nginx/nginx /usr/sbin/nginx (创建nginx可执行程序软链接)
#nginx -V
- 创建Nginx启动脚本
# vi /etc/init.d/nginx
#!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: NGINX is an HTTP(S) server, HTTP(S) reverse \ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0 nginx="/usr/local/nginx/nginx" prog=$(basename $nginx) NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx make_dirs() { # make required directories user=`$nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -` if [ -z "`grep $user /etc/passwd`" ]; then useradd -r -M -s /sbin/nologin $user fi options=`$nginx -V 2>&1 | grep 'configure arguments:'` for opt in $options; do if [ `echo $opt | grep '.*-temp-path'` ]; then value=`echo $opt | cut -d "=" -f 2` if [ ! -d "$value" ]; then # echo "creating" $value mkdir -p $value && chown -R $user $value fi fi done } start() { [ -x $nginx ] || exit 5 [ -f $NGINX_CONF_FILE ] || exit 6 make_dirs echo -n $"Starting $prog: " daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile return $retval } restart() { configtest || return $? stop sleep 1 start } reload() { configtest || return $? echo -n $"Reloading $prog: " killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status >/dev/null 2>&1 } case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart|configtest) $1 ;; reload) rh_status_q || exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}" exit 2 esac
- 设置Nginx服务开机自启动并启动服务
# chmod +x /etc/init.d/nginx # chkconfig nginx on
# service nginx start - 开通http,https防火墙端口
# firewall-cmd --permanent --add-service={http,https} # firewall-cmd --reload - 在浏览器中测试Nginx
2.生成SSL证书步骤
- 创建证书存放目录并切换到该目录
# mkdir -p /usr/local/nginx/conf/ssl && cd /usr/local/nginx/conf/ssl
使用openssl生成服务器证书
假设我们有两个站点linux.example.com,windows.example.com
Domain UpStream Servers System
-------------------------- ---------------------------- ---------------------------------------------------------------- -------------------
linux.example.com linux.example.com 192.168.136.101,192.168.136.102,192.168.136.103 Linux
windows.example.com windows.example.com 192.168.136.104,192.168.136.105 Windows
以linux.example.com为例,生成服务器证书
- 生成服务器端的私钥(key文件)
# openssl genrsa -des3 -out linux.example.com.key 1024
Generating RSA private key, 1024 bit long modulus ...........++++++ .....................++++++ e is 65537 (0x10001) Enter pass phrase for linux.example.com.key: <口令>
Verifying - Enter pass phrase for linux.example.com.key: <确认口令> - 创建证书签名请求Certificate Signing Request (CSR)
# SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=linux.example.com"
# openssl req -new -subj $SUBJECT -key linux.example.com.key -out linux.example.com.csr
Enter pass phrase for secure1.example.com.key: <确认口令>
- 清除重启Nginx服务时提示必须输入密钥
# mv linux.example.com.key linux.example.com.origin.key
# openssl rsa -in linux.example.com.origin.key -out linux.example.com.key - 使用刚生成的私钥和CSR创建自签名的CA证书
# openssl x509 -req -days 3650 -in linux.example.com.csr -signkey linux.example.com.key -out linux.example.com.crt - 重复上面操作,生成windows.example.com证书
创建Nginx配置文件
- 创建upstream配置文件
# mkdir /usr/local/nginx/conf/upstreams && cd /usr/local/nginx/conf/upstreams
# vi linux.example.com.conf
# vi windows.example.com.confupstream linux.example.com { ip_hash; server 192.168.136.101:80; server 192.168.136.102:80; server 192.168.136.103:80; }
upstream windows.example.com { ip_hash; server 192.168.136.104:80; server 192.168.136.105:80; }
- 安装nginx_ensite工具
# cd /usr/local/src
# yum -y install git
# git clone https://github.com/perusio/nginx_ensite.git && cd nginx_ensite
# make install
修改nginx_ensite脚本
# vi /usr/local/bin/nginx_ensite
#!/bin/bash ### nginx_ensite --- Bash script to enable or disable a site in nginx. ### Copyright (C) 2010, 2015 António P. P. Almeida <appa@perusio.net> ### Author: António P. P. Almeida <appa@perusio.net> ### Permission is hereby granted, free of charge, to any person obtaining a ### copy of this software and associated documentation files (the "Software"), ### to deal in the Software without restriction, including without limitation ### the rights to use, copy, modify, merge, publish, distribute, sublicense, ### and/or sell copies of the Software, and to permit persons to whom the ### Software is furnished to do so, subject to the following conditions: ### The above copyright notice and this permission notice shall be included in ### all copies or substantial portions of the Software. ### Except as contained in this notice, the name(s) of the above copyright ### holders shall not be used in advertising or otherwise to promote the sale, ### use or other dealings in this Software without prior written authorization. ### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR ### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, ### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL ### THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER ### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING ### FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER ### DEALINGS IN THE SOFTWARE. SCRIPTNAME=${0##*/} ## The nginx binary. Check if we're root or not. If we are get the ## path to nginx. If not hardcode the path. if [ $(id -u) -eq 0 ]; then IS_ROOT=1 NGINX=$(command -v nginx) || exit 1 else STATUS=0 NGINX=/usr/sbin/nginx fi ## Default value for the configuration directory. NGINX_CONF_DIR=/usr/local/nginx/conffunction print_usage() { echo "$SCRIPTNAME [-c <nginx configuration base directory> default: /usr/local/nginx/conf] [ -s <startup program name> default: nginx] <site name>" } ## Extract the startup program name from a given argument. If it's a ## path to nginx then add the '-s reload' to the name. Otherwise just ## return the given argument. ## $1: the program name. ## Returns the proper startup program name, function get_startup_program_name() { local value="$1" [[ $1 =~ [[:alnum:]/-]*nginx$ ]] && value="$1 -s reload" echo "$value" } ## The default start up program is nginx. STARTUP_PROGRAM_NAME=$(get_startup_program_name nginx) ## Create the relative path to the vhost file. ## $1: configuration file name (usually the vhost) ## $2: available sites directory name (usually sites-available) ## Returns the relative path from the sites-enabled directory. function make_relative_path() { printf '../%.0s%s/%s' $(eval echo {0..$(expr length "${1//[^\/]/}")}) $2 $1 } ## Checking the type of action we will perform. Enabling or disabling. ACTION=$(echo $SCRIPTNAME | awk '$0 ~ /dissite/ {print "DISABLE"} $0 ~ /ensite/ {print "ENABLE"} $0 !~ /(dis|en)site/ {print "UNKNOWN"}') if [ "$ACTION" == "UNKNOWN" ]; then echo "$SCRIPTNAME: Unknown action!" >&2 print_usage exit 2 fi ## Check the number of arguments. if [ $# -lt 1 -o $# -gt 5 ]; then print_usage >&2 exit 3 fi ## Parse the getops arguments. while getopts c:s: OPT; do case $OPT in c|+c) NGINX_CONF_DIR=$(realpath "$OPTARG") if [[ ! -d $NGINX_CONF_DIR ]]; then echo "$NGINX_CONF_DIR directory not found." >&2 exit 3 fi ;; s|+s) STARTUP_PROGRAM_NAME=$(get_startup_program_name "$OPTARG") ;; *) print_usage >&2 exit 4 ;; esac done shift $(( OPTIND - 1 )) OPTIND=1 ## The paths for both nginx configuration files and the sites ## configuration files and symbolic link destinations. AVAILABLE_SITES_PATH="$NGINX_CONF_DIR/sites-available" ENABLED_SITES_PATH="$NGINX_CONF_DIR/sites-enabled" ## Check the number of arguments. if [ $# -ne 1 ]; then print_usage >&2 exit 3 else SITE_AVAILABLE=$(make_relative_path "$1" ${AVAILABLE_SITES_PATH##*/}) ## If enabling the 'default' site then make sure that it's the ## first to be loaded. if [ "$1" == "default" ]; then SITE_ENABLED="$ENABLED_SITES_PATH/default" else SITE_ENABLED="$ENABLED_SITES_PATH/$1" fi ## Check if the directory where we will place the symlink ## exists. If not create it. [ -d ${SITE_ENABLED%/*} ] || mkdir -p ${SITE_ENABLED%/*} fi ## Check that the file corresponding to site exists if enabling or ## that the symbolic link exists if disabling. Perform the desired ## action if possible. If not signal an error and exit. case $ACTION in ENABLE) # Change to the directory where we will place the symlink so that we # see the relative path correctly. cd "${SITE_ENABLED%/*}"; if [ -r $SITE_AVAILABLE ]; then ## Test for a well formed configuration only when we are ## root. if [ -n "$IS_ROOT" ]; then echo "Testing nginx configuration..." $NGINX -t && STATUS=0 fi ## Check the config testing status and if the link exists already. if [ $STATUS ] && [ -h $SITE_ENABLED ]; then ## If already enabled say it and exit. echo "$1 is already enabled." exit 0 else # Symlink if not yet enabled. ln -s $SITE_AVAILABLE $SITE_ENABLED fi if [ $STATUS ]; then echo -n "Site $1 has been enabled." printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME" exit 0 else exit 5 fi else echo "Site configuration file $1 not found." >&2 exit 6 fi ;; DISABLE) if [ "$1" = "default" ] ; then if [ -h "$ENABLED_SITES_PATH/default" ] ; then SITE_ENABLED="$ENABLED_SITES_PATH/default" fi fi if [ -h $SITE_ENABLED ]; then rm $SITE_ENABLED echo -n "Site $1 has been disabled." printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME" exit 0 else echo "Site $1 doesn't exist." >&2 exit 7 fi ;; esac
- 创建sites-available目录并进入
# mkdir /usr/local/nginx/conf/sites-available && cd /usr/local/nginx/conf/sites-available - 创建站点配置文件
# vi no-default
# Drop requests for unknown hosts # # If no default server is defined, nginx will use the first found server. # To prevent host header attacks, or other potential problems when an unknown # servername is used in a request, it's recommended to drop the request # returning 444 "no response". server { listen 80 default_server; return 444; }
# vi linux.example.com
server { listen [::]:80; listen 80; server_name linux.example.com; return 301 https://$host$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name linux.example.com; access_log logs/linux.example.com.access.log main; error_log logs/linux.example.com.error.log error; location / { proxy_pass http://linux.example.com; } include ssl.conf; ssl_certificate ssl/linux.example.com.crt; ssl_certificate_key ssl/linux.example.com.key; }
# vi windows.example.com
server { listen [::]:80; listen 80; server_name windows.example.com; return 301 https://$host$request_uri; } server { listen [::]:443 ssl http2; listen 443 ssl http2; server_name windows.example.com; access_log logs/windows.example.com.access.log main; error_log logs/windows.example.com.error.log error; location / { proxy_pass http://windows.example.com; } include ssl.conf; ssl_certificate ssl/windows.example.com.crt; ssl_certificate_key ssl/windows.example.com.key; }
- 启用站点和禁用站点的方法
# nginx_ensite linux.example.com (启用站点)
# nginx_dissite linux.example.com (禁用站点) - 创建zone.conf配置文件
# vi /usr/local/nginx/conf/zone.conf
#1mb zone holds approx 16k sessions #Connections per IP limit_conn_zone $binary_remote_addr zone=conPerIp:5m; # Fastcgi cache zones below # At some point you'd probably want to change these paths to their own # directory, for example to /var/cache/nginx/
fastcgi_cache_path /usr/local/nginx/cache/fastcgi_cache levels=1:1 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; limit_req_zone $binary_remote_addr zone=reqPerSec1:1m rate=1r/s; limit_req_zone $binary_remote_addr zone=reqPerSec10:1m rate=10r/s; limit_req_zone $binary_remote_addr zone=reqPerSec20:1m rate=20r/s; - 创建proxy.conf配置文件
# vi /usr/local/nginx/conf/proxy.confproxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 30; proxy_send_timeout 30; proxy_read_timeout 60; proxy_buffer_size 256k; proxy_buffers 4 256k; proxy_busy_buffers_size 256k; proxy_temp_file_write_size 256k; proxy_next_upstream error timeout invalid_header http_500 http_503 http_404; proxy_max_temp_file_size 128m; - 创建ssl.conf配置文件
# vi /usr/local/nginx/conf/ssl.conf
add_header Strict-Transport-Security 'max-age=604800'; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Maximum secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, IE8/XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # Less secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, Java 6u45 #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
- 创建gzip.conf配置文件
# vi /usr/local/nginx/conf/gzip.conf
gzip on; gzip_http_version 1.0; gzip_min_length 1100; gzip_buffers 4 8k; gzip_proxied expired no-cache no-store private auth; gzip_disable "msie6"; gzip_vary on; gzip_comp_level 1; gzip_types # text/html is always compressed by HttpGzipModule text/css text/javascript text/xml text/plain text/x-component application/javascript application/x-javascript application/json application/xml application/rss+xml application/atom+xml font/truetype font/opentype application/vnd.ms-fontobject image/svg+xml;
- 修改nginx.conf配置文件
# vi /usr/local/nginx/conf/nginx.conf
user nginx; worker_processes auto; worker_rlimit_nofile 8192; events { worker_connections 8000; } error_log logs/error.log warn; http { include mime.types; default_type text/html; server_tokens off; msie_padding off; max_ranges 0; charset utf-8; reset_timedout_connection on; keepalive_disable none; sendfile on; tcp_nopush on; tcp_nodelay off; keepalive_requests 20; log_format main '$remote_addr $scheme://$host $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" $request_time $upstream_addr $upstream_cache_status'; log_subrequest on; variables_hash_max_size 1024; map_hash_max_size 2048; server_names_hash_max_size 1024; types_hash_max_size 1024; open_file_cache max=300; open_file_cache_errors on; keepalive_timeout 5; client_header_timeout 5; client_body_timeout 5; send_timeout 5; fastcgi_connect_timeout 5; fastcgi_send_timeout 5; include proxy.conf;
include zone.conf; include upstreams/*.conf; include sites-enabled/*; }生成证书的脚本:
#!/bin/sh # create self-signed server certificate: read -p "Enter your domain [www.example.com]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /usr/local/nginx/conf/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /usr/local/nginx/conf/ssl/$DOMAIN.key"
echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /usr/local/nginx/conf/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /usr/local/nginx/conf/ssl/$DOMAIN.key;"
echo "}"
