Nginx部署SSL(HTTPS)
nginx ssl部署
一、创建CA,自制CA证书
1、安装openssl openssl-devel
yum -y install openssl openssl-devel
2、查看openssl.cnf文件 cat /etc/pki/tls/openssl.cnf
3、生成CA私钥
(umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) -----生成的私钥名字必须为cakey.pem,同时要在此路径下
4、生成CA自签证书
openssl req -new -x509 -key cakey.pem -out /etc/pki/CA/cacert.pem -days 365 -----生成的证书名字必须为cakey.pem,同时要在此路径下
5、在此目录下创建两个文件
cd /etc/pki/CA
touch index.txt
echo 01 > serial
二、nginx服务端生成密钥及证书签署文件
1、安装openssl openssl-devel
yum -y install openssl openssl-devel
2、服务器端生成秘钥
cd /application/nginx/key && (umask 077;openssl genrsa -out nginx.key 2048)
3、生成证书签署文件
openssl req -new -key /application/nginx/key/nginx.key -out nginx.csr
三、根据nginx.csr,让CA签署生成证书
openssl ca -in nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
四、安装nginx(编译安装nginx如出现配置nginx文件出现:nginx:[emerg]unknown directive ssl错误,要进入到解压包内:./configure --with-http_ssl_module //重新添加这个ssl模块,执行make,再从objs中的nginx文件拷贝到对应的启动目录下面,启动就可以了)
yum install nginx
五、配置nginx
server {
listen 443;
server_name localhost;
access_log /var/log/nginx/access.log;
charset utf-8;
gzip on;
gzip_buffers 32 4K;
gzip_comp_level 6;
gzip_min_length 4000;
ssl on;
ssl_certificate /application/nginx/key/nginx.crt;
ssl_certificate_key /application/nginx/key/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
location / {
include uwsgi_params;
uwsgi_connect_timeout 30;
uwsgi_pass 127.0.0.1:8888;
uwsgi_ignore_client_abort on;
}
location /static {
alias /data/wwwroot/PD/static/;
}
}