nginx -s stop -c /etc/nginx/nginx.conf
nginx -c /etc/nginx/nginx.conf
netstat -luntp | grep 443
生成CA证书
openssl version:查看是否已经安装openssl
nginx -V: 查看是否编译--with-http_ssl_module
步骤一、生成key秘钥
在/etc/nginx下创建文件夹
mkdir ssl_key
openssl genrsa -idea -out service.key 1024
步骤二、生成证书签名请求文件(csr文件)
openssl req -new -key service.key -out service.csr
步骤三、生成证书签名文件(CA文件)
openssl x509 -req -days 3650 -in service.csr -signkey service.key -out service.crt
然后配置nginx中的server
server {
listen 443;
server_name 192.168.10.4;
ssl on;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /home/mantishell/html;
index index.html index.html;
}
}
查看证书的加密信息
openssl x509 -noout -text -in /etc/nginx/ssl_key/jesonc.crt
升级openssl的脚本(未测试)
#!/bin/sh
cd /opt/download
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
tar -zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/local/openssl
make && make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfg -v
openssl version -a
使用key文件直接生成自签证书(符合苹果要求)
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server_app.crt
nginx -tc /etc/nginx/nginx.conf检查配置文件是否正确
HTTPS服务优化
- 方法一、激活keepalive长连接
- 方法二、设置ssl session缓存
server {
listen 443;
server_name 192.168.10.4;
keepalive_timeout 100;
ssl on;
ssl_session_cache shared:SSL:10m;#这里设置10MByte
ssql_session_timeout 10m;#10minute
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /home/mantishell/html;
index index.html index.html;
}
}