1,先确认nginx安装时已编译http_ssl模块。
就是执行nginx -V命令查看是否存在--with-http_ssl_module。如果没有,则需要重新编译nginx将该模块加入。yum安装的一般都编译进去了。源码编译二进制包安装的可能需要重新编译,然后make,但是不需要make install。
2,查看是否已经安装SSL。openssl version -a
3,生成SSL证书
#在nginx目录下创建ssl文件夹
cd /etc/pki
mkdir nginx
cd nginx
#生成2048位的加密私钥
openssl genrsa -out server.key 2048
生成证书签名请求(CSR),这里需要填写许多信息
openssl req -new -key server.key -out server.csr
输出内容为:
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 服务器主机名,若填写不正确,浏览器会报告证书无效,但并
Email Address []:admin@mycompany.com ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入生成类型为X509的自签名证书。
#有效期设置3650天,即有效期为10年
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
4、修改Nginx配置文件
# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/ user nginx; worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf; events { worker_connections 1024; } http { log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 4096; include /etc/nginx/mime.types; default_type application/octet-stream; # Load modular configuration files from the /etc/nginx/conf.d directory. # See http://nginx.org/en/docs/ngx_core_module.html#include # for more information. include /etc/nginx/conf.d/*.conf; server { listen 80; listen [::]:80; server_name _;
#原目录名是html,是文件数据目录,修改为http,可以和https的数据目录做区分,也可以设置成一样的。 root /usr/share/nginx/http; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /404.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } # Settings for a TLS enabled server. # server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name _; root /usr/share/nginx/https; ssl_certificate "/etc/pki/nginx/server.crt"; ssl_certificate_key "/etc/pki/nginx/server.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; error_page 404 /404.html; location = /40x.html { } error_page 500 502 503 504 /50x.html; location = /50x.html { } } }
详细可参考以下博客:
https://www.cnblogs.com/bcodepod/p/15325522.html
https://cloud.tencent.com/developer/article/1151073