安装openssl库 # yum install -y openssl openssl-devel
安装gcc # yum install -y gcc-c++
安装 PCRE # yum install -y pcre pcre-devel
安装zlib库 # yum install -y zlib zlib-devel
安装perl # yum install -y perl-Digest-SHA1.x86_64
切换路劲到 # /home
通过浏览器找到最新版本 https://baijiahao.baidu.com/s?id=1661650900351466294&wfr=spider&for=pc,然后下载最新版本
下载安装包 # wget http://nginx.org/download/nginx-1.18.0.tar.gz
解压 # tar xxf nginx-1.18.0.tar.gz
赋权 # chmod -R 777 nginx-1.18.0
进入解压后的目录 # cd nginx-1.18.0
运行./configure 产生makefile 文件 prefix配置安装路径 支持http,https,tcp,udp,mail 参数详见 https://www.cnblogs.com/HKUI/p/5225895.html
# ./configure --prefix=/home/nginx --sbin-path=/home/nginx/sbin/nginx --conf-path=/home/nginx/conf/nginx.conf --error-log-path=/home/log/nginx/error.log --http-log-path=/home/log/nginx/access.log --pid-path=/home/nginx/nginx.pid --lock-path=/home/nginx/nginx.lock --http-client-body-temp-path=/home/nginx/cache/client_temp --http-proxy-temp-path=/home/nginx/cache/proxy_temp --http-fastcgi-temp-path=/home/nginx/cache/fastcgi_temp --http-uwsgi-temp-path=/home/nginx/cache/uwsgi_temp --http-scgi-temp-path=/home/nginx/cache/scgi_temp --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-file-aio --with-ipv6 --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=1024 -m64 -mtune=generic'
以下显示正常:
checking for ioctl(FIONREAD) ... found
checking for struct tm.tm_gmtoff ... found
checking for struct dirent.d_namlen ... not found
checking for struct dirent.d_type ... found
checking for sysconf(_SC_NPROCESSORS_ONLN) ... found
checking for sysconf(_SC_LEVEL1_DCACHE_LINESIZE) ... found
checking for openat(), fstatat() ... found
checking for getaddrinfo() ... found
checking for PCRE library ... found
checking for PCRE JIT support ... found
checking for OpenSSL library ... found
checking for zlib library ... found
creating objs/Makefile
Configuration summary
+ using threads
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
nginx path prefix: "/home/nginx"
nginx binary file: "/home/nginx/sbin/nginx"
nginx modules path: "/home/nginx/modules"
nginx configuration prefix: "/home/nginx/conf"
nginx configuration file: "/home/nginx/conf/nginx.conf"
nginx pid file: "/home/nginx/nginx.pid"
nginx error log file: "/home/log/nginx/error.log"
nginx http access log file: "/home/log/nginx/access.log"
nginx http client request body temporary files: "/home/nginx/cache/client_temp"
nginx http proxy temporary files: "/home/nginx/cache/proxy_temp"
nginx http fastcgi temporary files: "/home/nginx/cache/fastcgi_temp"
nginx http uwsgi temporary files: "/home/nginx/cache/uwsgi_temp"
nginx http scgi temporary files: "/home/nginx/cache/scgi_temp"
./configure: warning: the "--with-ipv6" option is deprecated
编译(生成二进制文件) 并且安装 # make install
现在以下正常:
test -d '/home/nginx/html' \
|| cp -R html '/home/nginx'
test -d '/home/log/nginx' \
|| mkdir -p '/home/log/nginx'
make[1]: 离开目录“/home/nginx-1.19.3”
创建cache文件夹# cd /home/nginx/ #mkdir cache
赋权 # chmod -R 777 /home/nginx
删除安装文件 # rm -rf /home/nginx-1.18.0
安装结束
运行 # ./home/nginx/sbin/nginx
停止 # ./home/nginx/sbin/nginx -s -stop
SSL证书制作(可以测试用,正式的找CA申请一个) 生成证书,一共四步
1) 生成RSA私钥 (会要求输入至少4位密码)
# openssl genrsa -des3 -out private.key 2048
2) 根据已生成的RSA私钥输出无加密的私钥(输入第1步输入的密码。这步可以跳过,以后要给nginx使用,每次reload nginx配置时候都要你验证这个密码的)
# openssl rsa -in private.key -out private.key
# 3) 根据这个key文件生成证书请求文件(正式的拿这个文件找CA颁发,测试的第4步自己颁发)
# openssl req -new -key private.key -out csr.csr
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sichuan
Locality Name (eg, city) []:chengdu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:zgxx
Organizational Unit Name (eg, section) []:zgxx
Common Name (e.g. server FQDN or YOUR name) []:eyunpiao.cn (这里填写域名,不然使用会出错)
Email Address []:543013306@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 (这个密码在配置tomcat会用到)
An optional company name []:zgxx
# 4) 使用证书请求签名文件和私钥生成crt证书 (这里3650
是证书有效期,单位为天
,这个可以根据自己的实际情况填写)
# openssl x509 -req -days 3650 -in csr.csr -signkey private.key -out ssl.crt
生成结果
private.key ——-用户的私钥,要保存好,一般要放在服务器上的某个位置
csr.csr ———证书请求文件,
ssl.crt ———生成的X509证书,供客户端下载使用
将三个文件拷贝到nginx的conf目录下。然后进行配置
nginx配置nginx.config
http,https配置
server{
#域名可以有多个,用空格隔开
server_name eyunpiao.cn www.eyunpiao.cn;
charset UTF-8;
access_log logs/server.log sfpt_log_format;
#监听端口
# (如果放开80,既可以可以http访问,也可以https访问)
# listen 80 default backlog=2048;
listen 444 ssl;
ssl_certificate /home/nginx/conf/ssl.crt;
ssl_certificate_key /home/nginx/conf/private.key;
#允许SSL协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2;
ssl_session_cache shared:SSL:10m;
#session超时时间
ssl_session_timeout 30m;
#加密算法
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#启动加密算法
ssl_prefer_server_ciphers on;
}
另外还可以加入如下代码实现80端口重定向到443
server {
listen 80;
server_name ww.centos.bz;
rewrite ^(.*) https://$server_name$1 permanent;
}