基于openresty配置https访问
1. openssl的版本信息
[root@localhost conf]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
2. openresty的版本信息
[root@localhost sbin]# ./nginx -V
3. 创建服务器私钥,命令会提醒输入一个密码,必须输入(在nginx的conf所在的路径下进行操作,当然也可以在其他路径,需要配合后续的nginx的配置一起改变)
[root@localhost conf]# openssl genrsa -des3 -out server.key 4096 Generating RSA private key, 4096 bit long modulus ..............................................................++ ........................++ e is 65537 (0x10001) Enter pass phrase for server.key: 140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters Enter pass phrase for server.key: 140180344625056:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: [root@localhost conf]# ll 总用量 64 -rw-r--r--. 1 root root 1077 3月 8 12:08 fastcgi.conf -rw-r--r--. 1 root root 1077 3月 8 13:20 fastcgi.conf.default -rw-r--r--. 1 root root 1007 3月 8 12:08 fastcgi_params -rw-r--r--. 1 root root 1007 3月 8 13:20 fastcgi_params.default -rw-r--r--. 1 root root 2837 3月 8 13:20 koi-utf -rw-r--r--. 1 root root 2223 3月 8 13:20 koi-win -rw-r--r--. 1 root root 3957 3月 8 12:08 mime.types -rw-r--r--. 1 root root 3957 3月 8 13:20 mime.types.default -rw-r--r--. 1 root root 3012 3月 14 16:41 nginx.conf -rw-r--r--. 1 root root 2656 3月 8 13:20 nginx.conf.default -rw-r--r--. 1 root root 636 3月 8 12:08 scgi_params -rw-r--r--. 1 root root 636 3月 8 13:20 scgi_params.default -rw-r--r-- 1 root root 3311 7月 11 14:15 server.key -rw-r--r--. 1 root root 664 3月 8 12:08 uwsgi_params -rw-r--r--. 1 root root 664 3月 8 13:20 uwsgi_params.default -rw-r--r--. 1 root root 3610 3月 8 13:20 win-utf
4. 创建签名请求的证书(CSR)
[root@localhost conf]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:hubei Locality Name (eg, city) [Default City]:wuhan Organization Name (eg, company) [Default Company Ltd]:tk Organizational Unit Name (eg, section) []:iflab Common Name (eg, your name or your server's hostname) []:root Email Address []:shihuc@163.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:shihuc An optional company name []:tk [root@localhost conf]#
5. 在加载SSL支持的Nginx服务器上,使用上述私钥时除去必须的口令(注意,所谓除去,其实就是将必须的私钥密码写入到了私钥文件里面了,更新了原来的私钥文件)
[root@localhost conf]# cp server.key server.key.org [root@localhost conf]# [root@localhost conf]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key [root@localhost conf]#
6. 通过openssl的x509指令生产证书文件
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=cn/ST=hubei/L=wuhan/O=tk/OU=iflab/CN=root/emailAddress=shihuc@163.com Getting Private key
7. nginx的简单配置
# HTTPS server # server { listen 443 ssl; server_name localhost; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html/SSLROOT; index index.html index.htm; } }
在nginx的html目录下,创建SSLROOT目录,并在下面创建一个index.html的页面,用于测试。
8. 一个用于转发的nginx.conf文件
worker_processes 1; error_log logs/error.log; events { worker_connections 1024; } http { keepalive_timeout 65; sendfile on; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; server { listen 443 ssl; # listen 8081 ssl; server_name localhost; ssl_certificate kaili.axinfu.com.crt; ssl_certificate_key kaili.axinfu.com.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html/SSLROOT; index index.html index.htm; # 开启白名单,根据需求替换 allow 127.0.0.1; allow 192.168.11.10; deny all; #反向代理,根据需求替换 proxy_pass http://192.168.11.10:9581; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } }
参考:https://www.cnblogs.com/shihuc/p/7150900.html
努力生活,融于自然
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步