nginx的https配置

nginx的https配置

1、前提

我由虚拟机做的，所以要自签证书

2、自签https证书

[root@server CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
........................................+++
...............+++
e is 65537 (0x10001)
[root@server CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtYmZgVMC6XReqtcJvUIR
RL7o6fs3ghHE0GjNdA7Ab/Ubi3k1ycfjdZ4qcXT4NygvlgKOM78ye+CuzLDVUzyo
KooJ+HBuPmlXC1NXvgK2hyj8iT061X5LPGP+89Lz1hWMSyRMumoPYwNWlTVVMDSm
homJFaT2L/X0fX/uMsq9b0/r/9+91FtMJrydhUSWhxBOcgicsqYeBv20Csh7q5Xm
W8CSmCQsMCcLmcNnl64w4tTVwjQH1c9TNnm6HRUuXw+izexNtSLITFjZQYL2u2J2
l+Ravy7C7WswrUW5ED5OUupb2tLSKFg7DUmLMZMecQ/nzCBs/9pT/LZQr6V/18mx
ZwIDAQAB
-----END PUBLIC KEY-----
[root@server CA]# 
[root@server CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN				//CN中国
State or Province Name (full name) []:HuBei			//省份湖北
Locality Name (eg, city) [Default City]:WuHan		//所在城市，武汉
Organization Name (eg, company) [Default Company Ltd]:lzj.example.com	//访问域名
Organizational Unit Name (eg, section) []:lzj.example.com		//访问域名
Common Name (eg, your name or your server's hostname) []:lzj.example.com
Email Address []:1#qq.com 		//邮箱
[root@server CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@server CA]# touch index.txt && echo 01 > serial
[root@server CA]# ls 
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@server CA]# ls private/
cakey.pem
#进入nginx目录
[root@server CA]# cd /usr/local/nginx/
[root@server nginx]# ls
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  uwsgi_temp
[root@server nginx]# mkdir ssl
[root@server nginx]# ls
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  ssl  uwsgi_temp
[root@server nginx]# cd ssl/
[root@server ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
[root@server ssl]# ls
nginx.key
#此处配置与前面一样
[root@server ssl]#  openssl req -new -key nginx.key -days 365 -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HuBei
Locality Name (eg, city) [Default City]:WuHan
Organization Name (eg, company) [Default Company Ltd]:lzj.example.com
Organizational Unit Name (eg, section) []:lzj.example.com
Common Name (eg, your name or your server's hostname) []:lzj.example.com
Email Address []:1@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@server ssl]# 

[root@server ssl]#  openssl ca -in /usr/local/nginx/ssl/nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Jun 15 08:53:27 2020 GMT
            Not After : Jun 15 08:53:27 2021 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HuBei
            organizationName          = lzj.example.com
            organizationalUnitName    = lzj.example.com
            commonName                = lzj.example.com
            emailAddress              = 1@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                61:0F:5D:8F:7D:A2:3A:F4:B0:BE:6B:88:C0:EA:EB:CE:B4:07:F8:D4
            X509v3 Authority Key Identifier: 
                keyid:C8:52:1E:FA:72:A3:7D:A7:FD:A0:83:97:77:A5:EE:88:E3:C1:BF:D5

Certificate is to be certified until Jun 15 08:53:27 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
#完成
[root@server ssl]# ls
nginx.crt  nginx.csr  nginx.key

3、nginx配置文件中填写证书

 .........
 server {
        listen       443 ssl;
        listen       80;   #端口
        server_name  lzj.example.com;   #域名

        ssl_certificate      /usr/local/nginx/ssl/nginx.crt;  #上面的证书
        ssl_certificate_key  /usr/local/nginx/ssl/nginx.key;  #钥匙

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html/lzj;		#访问的目录
            index  index.html index.htm;
        }
   
 }
..........

重新启动nginx,查看效果