nginx 配置https

nginx -s stop -c /etc/nginx/nginx.conf

nginx -c /etc/nginx/nginx.conf

netstat -luntp | grep 443

生成CA证书

openssl version:查看是否已经安装openssl

nginx -V: 查看是否编译--with-http_ssl_module

步骤一、生成key秘钥

在/etc/nginx下创建文件夹

mkdir ssl_key

openssl genrsa -idea -out service.key 1024

步骤二、生成证书签名请求文件(csr文件)

openssl req -new -key service.key -out service.csr

步骤三、生成证书签名文件(CA文件)

openssl x509 -req -days 3650 -in service.csr -signkey service.key -out service.crt

然后配置nginx中的server

server {
	listen 443;
	server_name 192.168.10.4;
	ssl on;
	ssl_certificate /etc/nginx/ssl_key/server.crt;
	ssl_certificate_key /etc/nginx/ssl_key/server.key;

	location / {
		root	/home/mantishell/html;
		index index.html index.html;
	}

}

查看证书的加密信息

openssl x509 -noout -text -in /etc/nginx/ssl_key/jesonc.crt

升级openssl的脚本(未测试)

#!/bin/sh
cd /opt/download
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
tar -zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/local/openssl
make && make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfg -v
openssl version -a

使用key文件直接生成自签证书(符合苹果要求)

openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server_app.crt

nginx -tc /etc/nginx/nginx.conf检查配置文件是否正确

HTTPS服务优化

  • 方法一、激活keepalive长连接
  • 方法二、设置ssl session缓存
server {
	listen 443;
	server_name 192.168.10.4;
    
    keepalive_timeout 100;
    
	ssl on;
    ssl_session_cache	shared:SSL:10m;#这里设置10MByte
    ssql_session_timeout	10m;#10minute
    
	ssl_certificate /etc/nginx/ssl_key/server.crt;
	ssl_certificate_key /etc/nginx/ssl_key/server.key;

	location / {
		root	/home/mantishell/html;
		index index.html index.html;
	}

}
posted @ 2021-06-08 22:17  mantishell  阅读(70)  评论(0编辑  收藏  举报