编译Nginx, 并使用自签证书实现https访问

1. 编译安装nginx1.8.1

[root@centos7 nginx-1.8.1]# ./configure --prefix=/usr/local/nginx.1.8.1 --with-http_stub_status_module --with-http_ssl_module
[root@centos7 nginx-1.8.1]# make && make install
[root@centos7 nginx-1.8.1]# export PATH=$PATH:/usr/local/nginx.1.8.1/sbin
[root@centos7 ~]# echo "export PATH=$PATH:/usr/local/nginx.1.8.1/sbin" > /etc/profile.d/nginx.sh 
[root@centos7 ~]# grep nginx /etc/man_db.conf 
MANPATH_MAP /usr/local/nginx.1.8.1/sbin	/usr/local/nginx.1.8.1/man
[root@centos7 ~]# mkdir -p /usr/local/nginx.1.8.1/man/man8/
[root@centos7 ~]# cp /home/Allen/nginx-1.8.1/man/nginx.8 /usr/local/nginx.1.8.1/man/man8/

2. nginx加入systemd管理

[root@centos7 nginx-1.8.1]# vim /etc/systemd/system/nginx.service
[Unit]
Description=nginx server daemon
Documentation=man:nginx(8)
After=network.target

[Service]
Type=forking
ExecStart=/usr/local/nginx.1.8.1/sbin/nginx
ExecReload=/usr/local/nginx.1.8.1/sbin/nginx -s reload
ExecStop=/usr/local/nginx.1.8.1/sbin/nginx -s quit
#PrivateTmp=true

[Install]
WantedBy=multi-user.target

[root@centos7 nginx-1.8.1]# systemctl daemon-reload

3. 证书自签名

[root@centos7 ~]# vim req.cnf
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = EN
ST = Beijing
L = Beijing
O = jzbg
OU = Ops
CN = www.jzbg.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = www.jzbg.com

[root@centos7 ~]# openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/nginx.1.8.1/ssl/private.key -out /usr/local/nginx.1.8.1/ssl/nginx.crt -config req.cnf -sha256

4. 配置nginx

[root@centos7 ~]# vim /usr/local/nginx.1.8.1/conf/nginx.conf
server {
    listen       19972 ssl;
    server_name  www.jzbg.com;

    ssl on;
    ssl_certificate      /usr/local/nginx.1.8.1/ssl/nginx.crt;
    ssl_certificate_key  /usr/local/nginx.1.8.1/ssl/private.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    location / {
        root   html;
        error_page   500 502 503 504  /50x.html;
        index  index.html index.htm;
    }
}

5. 启动nginx

[root@centos7 nginx-1.8.1]# systemctl start nginx
[root@centos7 nginx-1.8.1]# ss -ant | grep 19972
LISTEN     0      128          *:19972                    *:*

此时访问会出现如下问题

6. 在Windows中导入证书

7. 测试效果

正常访问,不报证书错误

posted @ 2018-11-16 00:47  虚拟一点  阅读(662)  评论(0编辑  收藏  举报