Linux安装nginx并配置ssl自签证书
一、下载nginx压缩包:官网下载地址http://nginx.org/download/,点击进入选择合适自己系统的版本,本机已centos安装nginx-1.9.1.tar.gz压缩包为例。
二、将下载的nginx-1.9.1.tar.gz文件通过ftp等工具上传到centos系统的 /usr/local目录下,cd到该目录运行 " tar -zxvf nginx-1.9.9.tar.gz "命令解压到该目录,解压成功后发现该目录下多了一个文件夹nginx-1.9.9。
三、cd到nginx-1.9.9目录,运行命令" ./configure --with-http_ssl_module --with-http_stub_status_module " 进行编译,--后面的参数表示编译时增加ssl模块功能。
四、继续在目录下运行命令 " make & make install ",等待安装完成,如果是修改nginx,就不需要运行make install,否则会覆盖安装。
五、切换到安装目录 " cd /usr/local/nginx/conf " ,运行证书自签生成命令 " openssl req -new -x509 -nodes -out cert.pem -keyout cert.key -days 999 ",按照提示输入证书相关信息,直到运行完成后会在该目录下生成两个证书文件 cert.pem和cert.key,有效期为999天。运行命令后会弹出一些列输入框和提示,其界面如下:Country Name表示国家名称;State or Province Name表示州或省名称;Organization Name表示组织名称;Common Name表示常用名称,例如您的姓名或服务器的主机名;Email Address表示电子邮件地址。
根据以上信息,生成的证书信息如下:
六、打开ngix.conf配置文件,发现如下关于https的443端口配置代码被注释,复制一份相关server节点代码,手动将其配置好,代码如下:
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate cert.pem; //对应前一步生成的证书文件pem
ssl_certificate_key cert.key; //对应前一步生成的证书文件key
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
#root html;
#index index.html index.htm;
proxy_pass http://10.2.1.172:8081; //此处对443端口做了代理,转发到10.2.1.172:8081端口
}
}
}
七、运行nginx启动命令" /usr/local/nginx/sbin/nginx ",若无报错,则访问https://localhost,即可通过nginx转发到http://10.2.1.172:8081上。
八、设置nginx开机自启动:
1、创建/etc/init.d/nginx文件,复制如下内容(这个内容是nginx官方说明文档中提供的)到文件中,修改nginx="/usr/local/nginx/sbin/nginx" 指向你的nginx启动文件路径,NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" 指向你的配置文件路径。
#!/bin/sh # # nginx - this script starts and stops the nginx daemon # # chkconfig: - 85 15 # description: NGINX is an HTTP(S) server, HTTP(S) reverse \ # proxy and IMAP/POP3 proxy server # processname: nginx # config: /etc/nginx/nginx.conf # config: /etc/sysconfig/nginx # pidfile: /var/run/nginx.pid # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "$NETWORKING" = "no" ] && exit 0
#nginx启动文件路径 nginx="/usr/local/nginx/sbin/nginx"
prog=$(basename $nginx)
#nginx.conf配置文件路径 NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx make_dirs() { # make required directories user=`$nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -` if [ -z "`grep $user /etc/passwd`" ]; then useradd -M -s /bin/nologin $user fi options=`$nginx -V 2>&1 | grep 'configure arguments:'` for opt in $options; do if [ `echo $opt | grep '.*-temp-path'` ]; then value=`echo $opt | cut -d "=" -f 2` if [ ! -d "$value" ]; then # echo "creating" $value mkdir -p $value && chown -R $user $value fi fi done } start() { [ -x $nginx ] || exit 5 [ -f $NGINX_CONF_FILE ] || exit 6 make_dirs echo -n $"Starting $prog: " daemon $nginx -c $NGINX_CONF_FILE retval=$? echo [ $retval -eq 0 ] && touch $lockfile return $retval } stop() { echo -n $"Stopping $prog: " killproc $prog -QUIT retval=$? echo [ $retval -eq 0 ] && rm -f $lockfile return $retval } restart() { configtest || return $? stop sleep 1 start } reload() { configtest || return $? echo -n $"Reloading $prog: " killproc $nginx -HUP RETVAL=$? echo } force_reload() { restart } configtest() { $nginx -t -c $NGINX_CONF_FILE } rh_status() { status $prog } rh_status_q() { rh_status >/dev/null 2>&1 } case "$1" in start) rh_status_q && exit 0 $1 ;; stop) rh_status_q || exit 0 $1 ;; restart|configtest) $1 ;; reload) rh_status_q || exit 7 $1 ;; force-reload) force_reload ;; status) rh_status ;; condrestart|try-restart) rh_status_q || exit 0 ;; *) echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}" exit 2 esac
2、保存成功后给nginx文件赋予操作权限:chmod a+x /etc/init.d/nginx 。
3、使用chkconfig命令:chkconfig --add /etc/init.d/nginx 将其加入管理列表。
4、使用如下命令进行操作:
service nginx start //启动nginx
service nginx stop //停止nginx
chkconfig nginx on //设置开机启动