faith丶

导航

配置nginx https访问(使用openssl生成https证书)

###

1、创建https的ssl证书

1.1、创建秘钥

mkdir test && cd test
openssl genrsa -des3 -out server.key
2048

注意:生成私钥,需要提供一个至少4位,最多1023位的密码。

 1.2、生成CSR(证书签名请求)

openssl req -new -key server.key -out server.csr

说明:需要依次输入国家,地区,城市,组织,组织单位,Common Name和Email。其中Common Name,可以写自己的名字或者域名,如果要支持https,Common Name应该与域名保持一致,否则会引起浏览器警告。

可以将证书发送给证书颁发机构(CA),CA验证过请求者的身份之后,会出具签名证书,需要花钱。另外,如果只是内部或者测试需求,也可以使用OpenSSL实现自签名。

1.3、删除秘钥中的密码

openssl rsa -in server.key -out server.key

说明:如果不删除密码,在应用加载的时候会出现输入密码进行验证的情况,不方便自动化部署。

1.4、生成自签名证书

内部或者测试使用,只要忽略证书提醒就可以了。

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

1.5、生成pem格式的公钥

有些服务,需要有pem格式的证书才能正常加载,可以用下面的命令:

openssl x509 -in server.crt -out server.pem -outform PEM

# 最终生成证书的文件

1.6、总结

自签名的证书,不被浏览器信任,适合内部或者测试使用。生产环境老老实实去买证书吧。当然了,不限成本的请随意。

2、nginx配置ssl证书

2.1、将证书文件放到指定目录中

mkdir /etc/nginx/nginx_ssl/
cp /test/server.key /etc/nginx/nginx_ssl/
cp /test/server.pem /etc/nginx/nginx_ssl/

2.2、配置nginx

cat /etc/nginx/nginx.conf
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        location / {
            root   /usr/share/nginx/html;
            try_files $uri $uri/  /index.html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/nginx/html;
        }
#       listen       [::]:80;
#        server_name  _;
#        root         /usr/share/nginx/html;
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#        error_page 404 /404.html;
#        location = /404.html {
#        }
#        error_page 500 502 503 504 /50x.html;
#        location = /50x.html {
#        }
    }
# Settings for a TLS enabled server.
    server {
        listen       443 ssl ;
        root         /usr/share/nginx/html;
# listen 443 ;
# ssl on; (此种写法会有警告提示,详情见下文第3、步) ssl_certificate /etc/nginx/nginx_ssl/server.pem; ssl_certificate_key /etc/nginx/nginx_ssl/server.key; location / { root /usr/share/nginx/html; try_files $uri $uri/ /index.html; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # listen 443 ssl http2; # listen [::]:443 ssl http2; # server_name _; # ssl_certificate "/etc/pki/nginx/server.crt"; # ssl_certificate_key "/etc/pki/nginx/private/server.key"; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 10m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # # # Load configuration files for the default server block. # include /etc/nginx/default.d/*.conf; # # error_page 404 /404.html; # location = /40x.html { # } # # error_page 500 502 503 504 /50x.html; # location = /50x.html { # } # } }

2.3、重启nginx

nginx -s reload

2.4、访问效果

 

 3、nginx 提示the "ssl" directive is deprecated, use the "listen ... ssl" directive instead

该问题是由于新版nginx采用新的方式进行监听https请求了解决方式如下:

在listen中改为
          listen 443 ssl;
删除ssl配置
           # ssl on;

解决完成前后的配置如下
解决前:

server { 
...
listen
443 ;
ssl on;
...
}
解决后 server {
...
listen
443 ssl ;
...
}

 

###

 

posted on 2021-11-03 18:32  faith丶  阅读(1178)  评论(0编辑  收藏  举报