Nginx配置4-Https网站设置

Nginx配置4 Https网站设置

1 检查是否支持ssl模块

[root@nginx-node01 1.16.0]# ./nginx -V 2>&1 | sed 's/ /\n/g' |grep ssl
--with-http_ssl_module

如果nginx没有http_ssl_module支持,则需要在编译时加入ssl支持,具体参考:Shell编译安装nginx

2 配置Server

公私钥、CA证书生成中制作好的nginx-node01.crt证书文件和nginx私钥文件放入ssl目录

# HTTPS server

 #增加HTTP强制跳转功能
 server{    
 	listen 80;    
 	server_name www.kov.com;   
    return  301 https://$server_name$request_uri;
}

server {
    listen       443 ssl;
    server_name  www.kov.com;

    ssl_certificate      ssl/nginx-node01.crt;
    ssl_certificate_key  ssl/nginx-node01.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

3 客户端设置域名

[root@ca CA]# echo 192.168.56.104 www.kov.com >> /etc/hosts

[root@ca CA]# cat /etc/hosts
##
# Host Database
#
# localhost is used to configure the loopback interface
# when the system is booting.  Do not change this entry.
##
127.0.0.1	localhost
255.255.255.255	broadcasthost
::1             localhost 
fe80::1%lo0	localhost
......
192.168.56.104 www.kov.com

4 客户端curl测试

客户端添加证书前

[root@ca CA]# curl https://www.kov.com           
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

客户端添加证书后

[root@ca CA]# curl --cacert cacert.pem https://www.kov.com
<!DOCTYPE html>
<html>
<head>
<title>Welcome to www.kov.com!</title>
</head>
<body>
<h1>Welcome to nginx ssl!</h1>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

5 客户端浏览器验证

1. NET::ERR_CERT_AUTHORITY_INVALID错误

解决方法:在keychain中将证书改为信任(下图)

2. NET::ERR_CERT_COMMON_NAME_INVALID错误

解决方法:参考《公私钥、证书生成》CA签署证书中补充,重新CA签署多域名证书后,重新在keychain中将证书改为信任。

posted @ 2020-07-17 10:13  ElfCafe  阅读(1047)  评论(0编辑  收藏  举报