20-Nginx配置SSL证书提供HTTPS访问

Nginx配置SSL证书提供HTTPS访问

安装SSL模块

进入software文件夹中的Nginx文件夹

cd /home/software/nginx-1.16.1/

配置SSL模块

./configure \
--prefix=/usr/local/nginx \
--pid-path=/var/run/nginx/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/temp/nginx/client \
--http-proxy-temp-path=/var/temp/nginx/proxy \
--http-fastcgi-temp-path=/var/temp/nginx/fastcgi \
--http-uwsgi-temp-path=/var/temp/nginx/uwsgi \
--http-scgi-temp-path=/var/temp/nginx/scgi \
--with-http_ssl_module

编译安装

make
make install

查看Nginx详情

[root@localhost nginx-1.16.1]# cd /usr/local/nginx/
[root@localhost nginx]# ./sbin/nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --pid-path=/var/run/nginx/nginx.pid --lock-path=/var/lock/nginx.lock --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --with-http_gzip_static_module --http-client-body-temp-path=/var/temp/nginx/client --http-proxy-temp-path=/var/temp/nginx/proxy --http-fastcgi-temp-path=/var/temp/nginx/fastcgi --http-uwsgi-temp-path=/var/temp/nginx/uwsgi --http-scgi-temp-path=/var/temp/nginx/scgi --with-http_ssl_module
[root@localhost nginx]#

可以看到SSL已经安装上了

配置证书

upstream tomcats {
  server 192.168.247.136:8001;
  server 192.168.247.136:8002;
  server 192.168.247.136:8003;
}

server{
  listen        80;
  server_name   www.tomcat.com;
  # 开启并使用缓存
  proxy_cache mycache;
  # 针对200和304状态码的缓存设置过期时间
  proxy_cache_vaild        200 304 8h;
  location / {
    proxy_pass  http://tomcats;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
  }
}
# HTTPS
server{
  listen        443;
  server_name   www.tomcat.com;
  # 开启SSL证书
  ssl            on;
  # 配置SSL证书  
  ssl_certificate    xxx.crt;
  # 配置证书秘钥
  ssl_certificate_key    xxx.key;
  # SSl 会话缓存
  ssl_session_cache        shared:SSL:1m; 
  # SSL 会话超时时间
  ssl_session_timeout   5m;
  # 配置加密套件,写法遵循openssl标准
  ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers        ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
  ssl_prefer_server_ciphers        on;
  location / {
    proxy_pass  http://tomcats;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
  }
}

配置之前需要将证书上传到conf文件夹下的, 然后将上面的名字修改就可以, 我之前买的证书过期了, 就不重新买了~

posted @ 2022-09-06 18:38  彼岸舞  阅读(85)  评论(0编辑  收藏  举报