创建SSL证书
$ sudo mkdir /etc/nginx/ca
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ca/nginx-selfsigned.key -out /etc/nginx/ca/nginx-selfsigned.crt
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:192.168.20.237
Email Address []:
前向保密
$ sudo openssl dhparam -out /etc/nginx/ca/dhparam.pem 2048
配置nginx使用ssl
先备份配置文件
$ cd /etc/nginx/conf.d/
$ sudo cp default.conf default.conf_bak
修改default.conf
只支持https访问
server {
listen 443 ssl default_server;
#server_name localhost;
ssl_certificate /etc/nginx/ca/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ca/nginx-selfsigned.key;
ssl_dhparam /etc/nginx/ca/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
...
}
支持http/https访问
server {
listen 80 default_server;
server_name 192.168.20.237; # 可替换成域名
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
#server_name localhost;
ssl_certificate /etc/nginx/ca/nginx-selfsigned.crt;
ssl_certificate_key /etc/nginx/ca/nginx-selfsigned.key;
ssl_dhparam /etc/nginx/ca/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
...
}
检测配置、启动服务器
# 检查配置文件是否正确
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 启动nginx
$ sudo service nginx start