配置nginx https访问(使用openssl生成https证书)
###
1、创建https的ssl证书
1.1、创建秘钥
mkdir test && cd test
openssl genrsa -des3 -out server.key 2048
注意:生成私钥,需要提供一个至少4位,最多1023位的密码。
1.2、生成CSR(证书签名请求)
openssl req -new -key server.key -out server.csr 说明:需要依次输入国家,地区,城市,组织,组织单位,Common Name和Email。其中Common Name,可以写自己的名字或者域名,如果要支持https,Common Name应该与域名保持一致,否则会引起浏览器警告。 可以将证书发送给证书颁发机构(CA),CA验证过请求者的身份之后,会出具签名证书,需要花钱。另外,如果只是内部或者测试需求,也可以使用OpenSSL实现自签名。
1.3、删除秘钥中的密码
openssl rsa -in server.key -out server.key 说明:如果不删除密码,在应用加载的时候会出现输入密码进行验证的情况,不方便自动化部署。
1.4、生成自签名证书
内部或者测试使用,只要忽略证书提醒就可以了。 openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
1.5、生成pem格式的公钥
有些服务,需要有pem格式的证书才能正常加载,可以用下面的命令: openssl x509 -in server.crt -out server.pem -outform PEM
# 最终生成证书的文件
1.6、总结
自签名的证书,不被浏览器信任,适合内部或者测试使用。生产环境老老实实去买证书吧。当然了,不限成本的请随意。
2、nginx配置ssl证书
2.1、将证书文件放到指定目录中
mkdir /etc/nginx/nginx_ssl/ cp /test/server.key /etc/nginx/nginx_ssl/ cp /test/server.pem /etc/nginx/nginx_ssl/
2.2、配置nginx
cat /etc/nginx/nginx.conf
# For more information on configuration, see:
# * Official English Documentation: http://nginx.org/en/docs/
# * Official Russian Documentation: http://nginx.org/ru/docs/
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# listen [::]:80;
# server_name _;
# root /usr/share/nginx/html;
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
# error_page 404 /404.html;
# location = /404.html {
# }
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
}
# Settings for a TLS enabled server.
server {
listen 443 ssl ;
root /usr/share/nginx/html;
# listen 443 ;
# ssl on; (此种写法会有警告提示,详情见下文第3、步)
ssl_certificate /etc/nginx/nginx_ssl/server.pem;
ssl_certificate_key /etc/nginx/nginx_ssl/server.key;
location / {
root /usr/share/nginx/html;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# listen 443 ssl http2;
# listen [::]:443 ssl http2;
# server_name _;
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
}
2.3、重启nginx
nginx -s reload
2.4、访问效果
3、nginx 提示the "ssl" directive is deprecated, use the "listen ... ssl" directive instead
该问题是由于新版nginx采用新的方式进行监听https请求了解决方式如下: 在listen中改为 listen 443 ssl; 删除ssl配置 # ssl on; 解决完成前后的配置如下 解决前: server {
...
listen 443 ;
ssl on;
...
}
解决后 server {
...
listen 443 ssl ;
...
}
###