nginx配置证书 https证书 nginx证书 ssl证书
nginx配置证书 https证书 nginx证书 ssl证书
推荐阅读:
Nginx配置Https(详细、完整) - 漫思 - 博客园 (cnblogs.com)
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
#监听443端口
listen 443;
#你的域名
server_name huiblog.top;
ssl on;
#ssl证书的pem文件路径
ssl_certificate /root/card/huiblog.top.pem;
#ssl证书的key文件路径
ssl_certificate_key /root/card/huiblog.top.key;
location / {
proxy_pass http://公网地址:项目端口号;
}
}
server {
listen 80;
server_name huiblog.top;
#将请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
}
}
原文:Nginx服务器配置Https证书_不如打代码KK的博客-CSDN博客_nginx配置https证书
1.Nginx安装ssl模块
nginx默认是没有安装ssl模块的。
[root@localhost nginx-1.20.0]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
configure arguments:
安装ssl模块前,请备份好nginx相关文件,默认安装目录是/usr/local/nginx,备份该文件夹。
进入到你的解压缩后的nginx目录,注意这里不是nginx安装目录,是解压缩后的目录
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
1
1.2.重新make
接下来执行
make
#切记不要执行make install,否则会重新安装nginx
1
2
1.3.覆盖旧的nginx可执行文件
上述操作执行完成以后,你的目录下会出现objs文件夹,文件夹内存在nginx可执行文件
[root@localhost objs]# cp nginx /usr/local/nginx/sbin
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
1
2
1.4.验证是否安装ssl成功
[root@localhost objs]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
[root@localhost objs]#
ssl模块安装成功。
2.生成ssl证书
证书可以去阿里云申请免费的证书。我这里演示下如何在本地生成ssl证书。
openssl req -new -x509 -nodes -out server.crt -keyout server.key
Generating a 2048 bit RSA private key
................................................................................................+++
......................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:CS
Organization Name (eg, company) [Default Company Ltd]:HHXD
Organizational Unit Name (eg, section) []:HHXD
Common Name (eg, your name or your server's hostname) []:dbmgr
Email Address []:xxxxxx@hxxxxe.com.cn
[root@localhost stage]# ll
total 101328
-rw-r--r--. 1 root root 1383 Jan 18 22:08 server.crt
-rw-r--r--. 1 root root 1704 Jan 18 22:08 server.key
[root@localhost stage]#
3.配置证书
修改nginx.conf配置文件
重新加载配置文件完成配置
sbin/nginx -s reload
打开浏览器信任证书
证书示例: cat nginx.conf
server {
listen 80;
server_name cmdb.battgreen.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
server {
#listen 80;
#listen [::]:80;
#listen 80;#http端口默认 80
listen 443 ssl; #https端口默认 443
server_name _;
#root /usr/share/nginx/html;
ssl_certificate cert/7878366_cmdb.battgreen.com.pem; #将domain name.pem替换成您证书的文件名称。
ssl_certificate_key cert/7878366_cmdb.battgreen.com.key; #将domain name.key替换成您证书的密钥文件名称。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://127.0.0.1:8000;
# root html;
#index index.html index.htm;
}
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}# ls cert/
7878366_cmdb.battgreen.com.key 7878366_cmdb.battgreen.com_nginx.zip 7878366_cmdb.battgreen.com.pem
为开发者提供学习成长、分享交流、生态实践、资源工具等服务,帮助开发者快速成长。
更多推荐
0
0- 0
已为社区贡献15条内容
所有评论(0)