环境:

  CentOS-6.9/192.168.59.133

  仅启用iptables,selinux为disabled状态

安装开发环境:

  # yum groupinstall -y "Server Platform Development" "Development Tools"

  # yum install -y pcre-devel

  ```nginx的rewrite模块和HTTP核心模块会用到PCRE正则表达式语法```

添加nginx组合用户

  # groupadd -r nginx

  # useradd -g nginx -r nginx

获取nginx源码,此次测试中没有使用较新的版本,为nginx-1.12.2

  # wget http://nginx.org/download/nginx-1.12.2.tar.gz

  # tar -zxvf nginx-1.12.2.tar.gz 

  # cd nginx-1.12.2.tar.gz

编译安装nginx

  # ./configure --prefix=/usr/local/nginx

    --conf-path=/etc/nginx/nginx.conf

    --user=nginx --group=nginx

    --error-log-path=/var/log/nginx/error.log

    --http-log-path=/var/log/nginx/access.log

    --pid-path=/var/run/nginx/nginx.pid

    --lock-path=/var/lock/nginx.lock

    --with-http_ssl_module   #支持ssl模块

    --with-http_stub_status_module

    --with-http_gzip_static_module

    --http-client-body-temp-path=/var/tmp/nginx/client

    --http-proxy-temp-path=/var/tmp/nginx/proxy

    --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi

    --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi

  # make && make install

创建相应的目录

  # mkdir -pv /var/tmp/nginx/{client,proxy,fastcgi,uwsgi}

支持nginx安装完成,先测试一下nginx服务是否能正常启动,并提供web服务

  # /usr/local/nginx/sbin/nginx 

  # ss -tnlp

  ```此时若是看到80端口已然被监听,则nginx正常运行```

配置使用https:

  大致步骤:生成私钥,生成证书签署请求,并获得证书 

  # cd /etc/pki/CA/

  # (umask 077; openssl genrsa -out private/cakey.pem 2048)

  # openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655

  # touch serial index.txt

  # echo 01 > serial

  # mkdir /etc/nginx/ssl

  # cd /etc/nginx/ssl

  # (umask 077; openssl genrsa -out nginx.key 1024)

  # openssl req -new -key nginx.key -out nginx.csr

  # openssl ca -in nginx.csr -out nginx.crt -days 3655

配置:  

  # cd /etc/nginx

  # cp nginx.conf{,.bak}

  ```建议不管出于什么目的修改任何文件之前都先备份,这样的坑不要去踩了```

  # vim nginx.conf
    server {
      listen 443 ssl;
      server_name www.lushenle.com;

      ssl_certificate /etc/nginx/ssl/nginx.crt;
      ssl_certificate_key /etc/nginx/ssl/nginx.key;

      ssl_session_cache shared:SSL:1m;
      ssl_session_timeout 5m;

      ssl_ciphers HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;

      location / {
        root html;
        index index.html index.htm;
      }
    }

保存退出之后,测试配置文件是否存在错误,如若无误,重载nginx服务

  # /usr/local/nginx/sbin/nginx -t 

  # /usr/local/nginx/sbin -s reload

查看443端口是否被监听:

  # ss -tnlp

  此时可看的443端口正在被监听,且是以nginx用户的身份运行的进程

配置iptables

  # iptables -I INPUT -d 192.168.59.133 -p tcp -m multiport --dports 443,80 -j ACCEPT

  # iptables -I OUTPUT -s 192.168.59.133 -p tcp -m multiport --dports 443,80 -j ACCEPT

测试https服务,浏览器输入https://192.168.59.133,或者其他的工具访问

  # curl -k https://192.168.59.133

posted on 2017-12-18 22:50  卢伸乐  阅读(4689)  评论(0编辑  收藏  举报