• RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)


    以RedHat7(64bit)平台为例

    如果RedHat源没法用,可以使用EPEL源

    # rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
    # yum makecache
    # yum install gcc --enablerepo=epel     (指定使用epel源)

    IP信息清单:

    Nginx_Master: 192.168.136.201   提供负载均衡
    Nginx_BackUp: 192.168.136.202   负载均衡备机

    Nginx_VIP: 192.168.136.200 网站的 VIP 地址(虚拟 IP)

    1.安装Keepalived(Nginx主从双机热备)

    1. 安装依赖库
      # yum install -y wget gcc openssl-devel popt-devel
    2. 下载解压Keepalived
      # cd /usr/local/src
      # wget http://www.keepalived.org/software/keepalived-1.2.19.tar.gz
      # tar -zxvf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19
    3. 编译安装Keepalived
      # ./configure --sysconf=/etc
      # make && make install
      # ln -s /usr/local/sbin/keepalived /usr/sbin/keepalived
    4. 修改配置文件
      # vi /etc/keepalived/keepalived.conf
      主Nginx server上的keepalived.conf文件
      ! Configuration File for keepalived
      
      global_defs {
          notification_email {
              admin@example.com
          }
          notification_email_from admin@example.com
          smtp_server 127.0.0.1
          smtp_connect_timeout 30
          router_id LVS_DEVEL
      }
      
      vrrp_script check_run {
         script "/usr/local/bin/check_nginx.sh"
         interval 2
      weight 2 } vrrp_instance VI_1 { state MASTER interface eno16777728 virtual_router_id 51 priority 100 advert_int 1 authentication { auth_type PASS auth_pass 1111 } track_script { check_run } virtual_ipaddress { 192.168.136.200 } }

      备Nginx server上的keepalived.conf文件

      ! Configuration File for keepalived
      
      global_defs {
          notification_email {
              admin@example.com
          }
          notification_email_from admin@example.com
          smtp_server 127.0.0.1
          smtp_connect_timeout 30
          router_id LVS_DEVEL
      }
      
      vrrp_script check_run {
         script "/usr/local/bin/check_nginx.sh"
         interval 5
      }
      
      vrrp_instance VI_1 {
          state BACKUP
          interface eno16777728
          virtual_router_id 51
          priority 99
          advert_int 1
          authentication {
              auth_type PASS
              auth_pass 1111
          }
          track_script {
              check_run
          }
          virtual_ipaddress {
              192.168.136.200
          }
      }

      # vi /usr/local/bin/check_nginx.sh
      # chmod +x /usr/local/bin/check_nginx.sh

      #!/bin/bash
      
      if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
      then
          service nginx start
          sleep 5
          if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
           then
               service keepalived stop
           fi
      fi
    5. 设置Keepalived服务开机自启动并启动服务
      # chkconfig keepalived on
      # service keepalived start

    2.安装Nginx代理服务器安步骤

    1. 安装jemalloc(更好的内存管理)
      # yum -y install bzip2
      # cd /usr/local/src # wget http://www.canonware.com/download/jemalloc/jemalloc-4.0.4.tar.bz2 # tar -jxvf jemalloc-4.0.4.tar.bz2 && cd jemalloc-4.0.4 # ./configure # make && make install # echo '/usr/local/lib' > /etc/ld.so.conf.d/local.conf # ldconfig
    2. lua-nginx-module模块(Nginx支持lua语法的模块)
      lua-nginx-module来自大牛agentzh的开源项目,在Nginx中嵌入Lua语言,使之可以支持强大Lua语法
      1. 下载LuaJIT2.0并安装
      # cd /usr/local/src
      # wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
      # tar -zxvf LuaJIT-2.0.4.tar.gz && cd LuaJIT-2.0.4
      # make && make install
      # ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
      2. 导入环境变量
      # export LUAJIT_LIB=/usr/local/lib
      # export LUAJIT_INC=/usr/local/include/luajit-2.0
      3. 下载并解压ngx_devel_kit和lua-nginx-module 
      # cd
      /usr/local/src
      # curl -L https://codeload.github.com/simpl/ngx_devel_kit/tar.gz/v0.2.19 -o ngx_devel_kit-0.2.19.tar.gz
      # tar -zxvf ngx_devel_kit-0.2.19.tar.gz # curl -L https://codeload.github.com/openresty/lua-nginx-module/tar.gz/v0.9.20rc2 -o lua-nginx-module-0.9.20rc2.tar.gz
      # tar -zxvf lua-nginx-module-0.9.20rc2.tar.gz
    3. ngx_cache_purge模块(Nginx清除缓存的模块)
      # cd /usr/local/src
      # wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
      # tar -zxvf ngx_cache_purge-2.3.tar.gz
    4. 安装Nginx
      # yum -y install pcre-devel openssl-devel zlib-devel
      # wget http://nginx.org/download/nginx-1.9.9.tar.gz # tar -zxvf nginx-1.9.9.tar.gz && cd nginx-1.9.9 # ./configure --sbin-path=/usr/local/nginx/nginx --pid-path=/var/run/nginx.pid --user=nginx --group=nginx
      --http-client-body-temp-path=/usr/local/nginx/cache/client_body_temp
      --http-proxy-temp-path=/usr/local/nginx/cache/proxy_temp
      --http-fastcgi-temp-path=/usr/local/nginx/cache/fastcgi_temp
      --http-uwsgi-temp-path=/usr/local/nginx/cache/uwsgi_temp
      --http-scgi-temp-path=/usr/local/nginx/cache/scgi_temp
      --with-http_ssl_module --with-http_stub_status_module --with-threads --with-stream --with-stream_ssl_module --with-ipv6 --with-http_v2_module --add-module=../ngx_cache_purge-2.3 --add-module=../lua-nginx-module-0.9.20rc2 --add-module=../ngx_devel_kit-0.2.19 --with-ld-opt='-ljemalloc' --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
      # make -j2 && make install
      # mkdir /usr/local/nginx/cache
      # ln -s /usr/local/nginx/nginx /usr/sbin/nginx (创建nginx可执行程序软链接)
      使用以下命令确认Nginx的SNI支持是否开启了:
      #nginx -V

    5. 创建Nginx启动脚本
      # vi /etc/init.d/nginx
      #!/bin/sh
      #
      # nginx - this script starts and stops the nginx daemon
      #
      # chkconfig:   - 85 15
      # description:  NGINX is an HTTP(S) server, HTTP(S) reverse 
      #               proxy and IMAP/POP3 proxy server
      # processname: nginx
      # config:      /etc/nginx/nginx.conf
      # config:      /etc/sysconfig/nginx
      # pidfile:     /var/run/nginx.pid
      
      # Source function library.
      . /etc/rc.d/init.d/functions
      
      # Source networking configuration.
      . /etc/sysconfig/network
      
      # Check that networking is up.
      [ "$NETWORKING" = "no" ] && exit 0
      
      nginx="/usr/local/nginx/nginx"
      prog=$(basename $nginx)
      
      NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
      
      [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
      
      lockfile=/var/lock/subsys/nginx
      
      make_dirs() {
         # make required directories
         user=`$nginx -V 2>&1 | grep "configure arguments:" | sed 's/[^*]*--user=([^ ]*).*/1/g' -`
         if [ -z "`grep $user /etc/passwd`" ]; then
             useradd -r -M -s /sbin/nologin $user
         fi
         options=`$nginx -V 2>&1 | grep 'configure arguments:'`
         for opt in $options; do
             if [ `echo $opt | grep '.*-temp-path'` ]; then
                 value=`echo $opt | cut -d "=" -f 2`
                 if [ ! -d "$value" ]; then
                     # echo "creating" $value
                     mkdir -p $value && chown -R $user $value
                 fi
             fi
         done
      }
      
      start() {
          [ -x $nginx ] || exit 5
          [ -f $NGINX_CONF_FILE ] || exit 6
          make_dirs
          echo -n $"Starting $prog: "
          daemon $nginx -c $NGINX_CONF_FILE
          retval=$?
          echo
          [ $retval -eq 0 ] && touch $lockfile
          return $retval
      }
      
      stop() {
          echo -n $"Stopping $prog: "
          killproc $prog -QUIT
          retval=$?
          echo
          [ $retval -eq 0 ] && rm -f $lockfile
          return $retval
      }
      
      restart() {
          configtest || return $?
          stop
          sleep 1
          start
      }
      
      reload() {
          configtest || return $?
          echo -n $"Reloading $prog: "
          killproc $nginx -HUP
          RETVAL=$?
          echo
      }
      
      force_reload() {
          restart
      }
      
      configtest() {
        $nginx -t -c $NGINX_CONF_FILE
      }
      
      rh_status() {
          status $prog
      }
      
      rh_status_q() {
          rh_status >/dev/null 2>&1
      }
      
      case "$1" in
          start)
              rh_status_q && exit 0
              $1
              ;;
          stop)
              rh_status_q || exit 0
              $1
              ;;
          restart|configtest)
              $1
              ;;
          reload)
              rh_status_q || exit 7
              $1
              ;;
          force-reload)
              force_reload
              ;;
          status)
              rh_status
              ;;
          condrestart|try-restart)
              rh_status_q || exit 0
                  ;;
          *)
              echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
              exit 2
      esac
    6. 设置Nginx服务开机自启动并启动服务
      # chmod +x /etc/init.d/nginx
      # chkconfig nginx on
      # service nginx start
    7. 开通http,https防火墙端口
      # firewall-cmd --permanent --add-service={http,https}
      # firewall-cmd --reload
    8. 在浏览器中测试Nginx

    2.生成SSL证书步骤

    1. 创建证书存放目录并切换到该目录
      mkdir -p /usr/local/nginx/conf/ssl && cd /usr/local/nginx/conf/ssl

    使用openssl生成服务器证书

    假设我们有两个站点linux.example.com,windows.example.com
         Domain                          UpStream                                         Servers                                                        System
    --------------------------     ----------------------------     ----------------------------------------------------------------        -------------------
    linux.example.com           linux.example.com            192.168.136.101,192.168.136.102,192.168.136.103               Linux
    windows.example.com      windows.example.com       192.168.136.104,192.168.136.105                                       Windows

    以linux.example.com为例,生成服务器证书

    1. 生成服务器端的私钥(key文件)
      # openssl genrsa -des3 -out linux.example.com.key 1024
      Generating RSA private key, 1024 bit long modulus
      ...........++++++
      .....................++++++
      e is 65537 (0x10001)
      Enter pass phrase for linux.example.com.key: <口令>
      Verifying - Enter pass phrase for linux.example.com.key: <确认口令>
    2. 创建证书签名请求Certificate Signing Request (CSR)
      # SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=linux.example.com"
      # openssl req -new -subj $SUBJECT -key linux.example.com.key -out linux.example.com.csr
      Enter pass phrase for secure1.example.com.key: <确认口令>
    3. 清除重启Nginx服务时提示必须输入密钥
      # mv linux.example.com.key linux.example.com.origin.key
      # openssl rsa -in linux.example.com.origin.key -out linux.example.com.key
    4. 使用刚生成的私钥和CSR创建自签名的CA证书
      # openssl x509 -req -days 3650 -in linux.example.com.csr -signkey linux.example.com.key -out linux.example.com.crt
    5. 重复上面操作,生成windows.example.com证书

    创建Nginx配置文件

    1. 创建upstream配置文件
      # mkdir /usr/local/nginx/conf/upstreams && cd /usr/local/nginx/conf/upstreams
      # vi linux.example.com.conf
      upstream linux.example.com {
          ip_hash;
          server 192.168.136.101:80;
          server 192.168.136.102:80;
          server 192.168.136.103:80;
      }
      # vi windows.example.com.conf
      upstream windows.example.com {
          ip_hash;
          server 192.168.136.104:80;
          server 192.168.136.105:80;
      }
    2. 安装nginx_ensite工具
      # cd /usr/local/src
      # yum -y install git
      # git clone https://github.com/perusio/nginx_ensite.git && cd nginx_ensite
      # make install
      修改nginx_ensite脚本
      # vi /usr/local/bin/nginx_ensite
      #!/bin/bash
      
      ### nginx_ensite --- Bash script to enable or disable a site in nginx.
      
      ### Copyright (C) 2010, 2015 António P. P. Almeida <appa@perusio.net>
      
      ### Author: António P. P. Almeida <appa@perusio.net>
      
      ### Permission is hereby granted, free of charge, to any person obtaining a
      ### copy of this software and associated documentation files (the "Software"),
      ### to deal in the Software without restriction, including without limitation
      ### the rights to use, copy, modify, merge, publish, distribute, sublicense,
      ### and/or sell copies of the Software, and to permit persons to whom the
      ### Software is furnished to do so, subject to the following conditions:
      
      ### The above copyright notice and this permission notice shall be included in
      ### all copies or substantial portions of the Software.
      
      ### Except as contained in this notice, the name(s) of the above copyright
      ### holders shall not be used in advertising or otherwise to promote the sale,
      ### use or other dealings in this Software without prior written authorization.
      
      ### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
      ### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
      ### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
      ### THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
      ### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
      ### FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
      ### DEALINGS IN THE SOFTWARE.
      
      SCRIPTNAME=${0##*/}
      
      ## The nginx binary. Check if we're root or not. If we are get the
      ## path to nginx.  If not hardcode the path.
      if [ $(id -u) -eq 0 ]; then
          IS_ROOT=1
          NGINX=$(command -v nginx) || exit 1
      else
          STATUS=0
          NGINX=/usr/sbin/nginx
      fi
      
      ## Default value for the configuration directory.
      NGINX_CONF_DIR=/usr/local/nginx/conffunction print_usage() {
          echo "$SCRIPTNAME [-c <nginx configuration base directory> default: /usr/local/nginx/conf] [ -s <startup program name> default: nginx] <site name>"
      }
      
      ## Extract the startup program name from a given argument. If it's a
      ## path to nginx then add the '-s reload' to the name. Otherwise just
      ## return the given argument.
      ## $1: the program name.
      ## Returns the proper startup program name,
      function get_startup_program_name() {
          local value="$1"
      
          [[ $1 =~ [[:alnum:]/-]*nginx$ ]] && value="$1 -s reload"
      
          echo "$value"
      }
      
      ## The default start up program is nginx.
      STARTUP_PROGRAM_NAME=$(get_startup_program_name nginx)
      
      ## Create the relative path to the vhost file.
      ## $1: configuration file name (usually the vhost)
      ## $2: available sites directory name (usually sites-available)
      ## Returns the relative path from the sites-enabled directory.
      function make_relative_path() {
          printf '../%.0s%s/%s' $(eval echo {0..$(expr length "${1//[^/]/}")}) $2 $1
      }
      
      ## Checking the type of action we will perform. Enabling or disabling.
      ACTION=$(echo $SCRIPTNAME | awk '$0 ~ /dissite/ {print "DISABLE"} $0 ~ /ensite/ {print "ENABLE"} $0 !~ /(dis|en)site/ {print "UNKNOWN"}')
      
      if [ "$ACTION" == "UNKNOWN" ]; then
          echo "$SCRIPTNAME: Unknown action!" >&2
          print_usage
          exit 2
      fi
      
      ## Check the number of arguments.
      if [ $# -lt 1 -o $# -gt 5 ]; then
          print_usage >&2
          exit 3
      fi
      
      ## Parse the getops arguments.
      while getopts c:s: OPT; do
          case $OPT in
              c|+c)
                  NGINX_CONF_DIR=$(realpath "$OPTARG")
                  if [[ ! -d $NGINX_CONF_DIR ]]; then
                      echo "$NGINX_CONF_DIR directory not found." >&2
                      exit 3
                  fi
                  ;;
              s|+s)
                  STARTUP_PROGRAM_NAME=$(get_startup_program_name "$OPTARG")
                  ;;
              *)
                  print_usage >&2
                  exit 4
                  ;;
          esac
      done
      shift $(( OPTIND - 1 ))
      OPTIND=1
      
      ## The paths for both nginx configuration files and the sites
      ## configuration files and symbolic link destinations.
      AVAILABLE_SITES_PATH="$NGINX_CONF_DIR/sites-available"
      ENABLED_SITES_PATH="$NGINX_CONF_DIR/sites-enabled"
      
      ## Check the number of arguments.
      if [ $# -ne 1 ]; then
          print_usage >&2
          exit 3
      else
          SITE_AVAILABLE=$(make_relative_path "$1" ${AVAILABLE_SITES_PATH##*/})
      
          ## If enabling the 'default' site then make sure that it's the
          ## first to be loaded.
          if [ "$1" == "default" ]; then
              SITE_ENABLED="$ENABLED_SITES_PATH/default"
          else
              SITE_ENABLED="$ENABLED_SITES_PATH/$1"
          fi
          ## Check if the directory where we will place the symlink
          ## exists. If not create it.
          [ -d ${SITE_ENABLED%/*} ] || mkdir -p ${SITE_ENABLED%/*}
      fi
      
      ## Check that the file corresponding to site exists if enabling or
      ## that the symbolic link exists if disabling. Perform the desired
      ## action if possible. If not signal an error and exit.
      case $ACTION in
          ENABLE)
              # Change to the directory where we will place the symlink so that we
              # see the relative path correctly.
              cd "${SITE_ENABLED%/*}";
              if [ -r $SITE_AVAILABLE ]; then
                  ## Test for a well formed configuration only when we are
                  ## root.
                  if [ -n "$IS_ROOT" ]; then
                      echo "Testing nginx configuration..."
                      $NGINX -t && STATUS=0
                  fi
                  ## Check the config testing status and if the link exists already.
                  if [ $STATUS ] && [ -h $SITE_ENABLED ]; then
                      ## If already enabled say it and exit.
                      echo "$1 is already enabled."
                      exit 0
                  else # Symlink if not yet enabled.
                      ln -s $SITE_AVAILABLE $SITE_ENABLED
                  fi
                  if [ $STATUS ]; then
                      echo -n "Site $1 has been enabled."
                      printf '
      Run "%s" to apply the changes.
      ' "$STARTUP_PROGRAM_NAME"
                      exit 0
                  else
                      exit 5
                  fi
              else
                  echo "Site configuration file $1 not found." >&2
                  exit 6
              fi
              ;;
          DISABLE)
              if [ "$1" = "default" ] ; then
                  if [ -h "$ENABLED_SITES_PATH/default" ] ; then
                      SITE_ENABLED="$ENABLED_SITES_PATH/default"
                  fi
              fi
              if [ -h $SITE_ENABLED ]; then
                  rm $SITE_ENABLED
                  echo -n "Site $1 has been disabled."
                  printf '
      Run "%s" to apply the changes.
      ' "$STARTUP_PROGRAM_NAME"
                  exit 0
              else
                  echo "Site $1 doesn't exist." >&2
                  exit 7
              fi
              ;;
      esac
    3. 创建sites-available目录并进入
      # mkdir /usr/local/nginx/conf/sites-available && cd /usr/local/nginx/conf/sites-available
    4. 创建站点配置文件
      # vi no-default
      # Drop requests for unknown hosts
      #
      # If no default server is defined, nginx will use the first found server.
      # To prevent host header attacks, or other potential problems when an unknown 
      # servername is used in a request, it's recommended to drop the request 
      # returning 444 "no response".
      
      server {
          listen 80 default_server;
          return 444;
      }

      # vi linux.example.com

      server {
          listen  [::]:80;
          listen       80;
          server_name  linux.example.com;
      
          return 301 https://$host$request_uri;
      }
      
      server {
          listen  [::]:443 ssl http2;
          listen       443 ssl http2;
          server_name  linux.example.com;
      
          access_log  logs/linux.example.com.access.log  main;
          error_log   logs/linux.example.com.error.log   error;
      
      
          location / {
              proxy_pass  http://linux.example.com;
          }
      
          include  ssl.conf;
      
          ssl_certificate      ssl/linux.example.com.crt;
          ssl_certificate_key  ssl/linux.example.com.key;
      }

      # vi windows.example.com

      server {
          listen  [::]:80;
          listen       80;
          server_name  windows.example.com;
      
          return 301 https://$host$request_uri;
      }
      
      server {
          listen  [::]:443 ssl http2;
          listen       443 ssl http2;
          server_name  windows.example.com;
      
          access_log  logs/windows.example.com.access.log  main;
          error_log   logs/windows.example.com.error.log   error;
      
      
          location / {
              proxy_pass  http://windows.example.com;
          }
      
          include  ssl.conf;
      
          ssl_certificate      ssl/windows.example.com.crt;
          ssl_certificate_key  ssl/windows.example.com.key;
      }
    5. 启用站点和禁用站点的方法
      # nginx_ensite linux.example.com   (启用站点)
      # nginx_dissite linux.example.com    (禁用站点)
    6. 创建zone.conf配置文件
      # vi /usr/local/nginx/conf/zone.conf
      #1mb zone holds approx 16k sessions
      #Connections per IP
      limit_conn_zone     $binary_remote_addr zone=conPerIp:5m;
      
      # Fastcgi cache zones below
      # At some point you'd probably want to change these paths to their own
      # directory, for example to /var/cache/nginx/
      fastcgi_cache_path /usr/local/nginx/cache/fastcgi_cache levels=1:1 keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; limit_req_zone $binary_remote_addr zone=reqPerSec1:1m rate=1r/s; limit_req_zone $binary_remote_addr zone=reqPerSec10:1m rate=10r/s; limit_req_zone $binary_remote_addr zone=reqPerSec20:1m rate=20r/s;
    7. 创建proxy.conf配置文件
      # vi /usr/local/nginx/conf/proxy.conf
      proxy_redirect    off;
      proxy_set_header  Host            $host;
      proxy_set_header  X-Real-IP       $remote_addr;
      proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
      
      proxy_connect_timeout       30;
      proxy_send_timeout          30;
      proxy_read_timeout          60;
      proxy_buffer_size           256k;
      proxy_buffers               4 256k;
      proxy_busy_buffers_size     256k;
      proxy_temp_file_write_size  256k;
      proxy_next_upstream         error timeout invalid_header http_500 http_503 http_404;
      proxy_max_temp_file_size    128m;
    8. 创建ssl.conf配置文件
      # vi /usr/local/nginx/conf/ssl.conf
      add_header                 Strict-Transport-Security 'max-age=604800';
      
      ssl_session_cache          shared:SSL:10m;
      ssl_session_timeout        10m;
      ssl_prefer_server_ciphers  on;
      ssl_protocols              TLSv1 TLSv1.1 TLSv1.2;
      
      # Maximum secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, IE8/XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y
      ssl_ciphers                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
      
      # Less secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, Java 6u45
      #ssl_ciphers                "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
    9. 创建gzip.conf配置文件
      # vi /usr/local/nginx/conf/gzip.conf
      gzip                    on;
      gzip_http_version       1.0;
      gzip_min_length         1100;
      gzip_buffers            4 8k;
      gzip_proxied            expired no-cache no-store private auth;
      gzip_disable            "msie6";
      gzip_vary               on;
      gzip_comp_level         1;
      gzip_types
          # text/html is always compressed by HttpGzipModule
          text/css
          text/javascript
          text/xml
          text/plain
          text/x-component
          application/javascript
          application/x-javascript
          application/json
          application/xml
          application/rss+xml
          application/atom+xml
          font/truetype
          font/opentype
          application/vnd.ms-fontobject
          image/svg+xml;
    10. 修改nginx.conf配置文件
      # vi /usr/local/nginx/conf/nginx.conf
      user  nginx;
      worker_processes  auto;
      
      worker_rlimit_nofile  8192;
      
      events {
          worker_connections  8000;
      }
      
      error_log  logs/error.log  warn;
      
      http {
          include                     mime.types;
          default_type                text/html;
          server_tokens               off;
          msie_padding                off;
          max_ranges                  0;
          charset                     utf-8;
          reset_timedout_connection   on;
          keepalive_disable           none;
      
          sendfile                    on;
          tcp_nopush                  on;
          tcp_nodelay                 off;
          keepalive_requests          20;
      
          log_format  main  '$remote_addr $scheme://$host $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" $request_time $upstream_addr $upstream_cache_status';
          log_subrequest  on;
      
          variables_hash_max_size     1024;
          map_hash_max_size           2048;
          server_names_hash_max_size  1024;
          types_hash_max_size         1024;
      
          open_file_cache             max=300;
          open_file_cache_errors      on;
      
          keepalive_timeout           5;
          client_header_timeout       5;
          client_body_timeout         5;
          send_timeout                5;
      
          fastcgi_connect_timeout     5;
          fastcgi_send_timeout        5;
      
          include  proxy.conf;
      include zone.conf; include upstreams
      /*.conf; include sites-enabled/*; }

      生成证书的脚本: 

      #!/bin/sh
      
      # create self-signed server certificate:
      
      read -p "Enter your domain [www.example.com]: " DOMAIN
      
      echo "Create server key..."
      
      openssl genrsa -des3 -out $DOMAIN.key 1024
      
      echo "Create server certificate signing request..."
      
      SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=$DOMAIN"
      
      openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
      
      echo "Remove password..."
      
      mv $DOMAIN.key $DOMAIN.origin.key
      openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
      
      echo "Sign SSL certificate..."
      
      openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
      
      
      echo "TODO:"
      echo "Copy $DOMAIN.crt to /usr/local/nginx/conf/ssl/$DOMAIN.crt"
      echo "Copy $DOMAIN.key to /usr/local/nginx/conf/ssl/$DOMAIN.key"
      echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /usr/local/nginx/conf/ssl/$DOMAIN.crt;"
      echo " ssl_certificate_key /usr/local/nginx/conf/ssl/$DOMAIN.key;"
      echo "}"
  • 相关阅读:
    linux/windows nginx安装
    linux/windows vsftpd安装
    linux 操作命令
    linux/windows java tomcat安装
    常见的Activity Action Intent常量
    Intent.ACTION_PICK
    Android实现抽奖转盘
    Android-短信验证
    Android-多平台分享(新浪微博)
    Android 手势滑动,多点触摸放大缩小图片
  • 原文地址:https://www.cnblogs.com/edward2013/p/5033686.html
Copyright © 2020-2023  润新知