为了提高web应用的安全性,现在基本上都需要支持https访问。在此记录一下自己在nginx下的配置过程
- 安装Nginx这里就省略了
- 安装openssl模块
yum -y install openssl
开始生成证书
# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..................................................................++++++
......................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
# ls
~ server.key
# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,D3E1935BAB9B90AB
8GVO2uvJf8MhMqZYlukRqbH01FDigvYqf6SNWf/TR7FZH9RkyNSezO7B9bqiL+te
3b2/ofW9xGiXDDAU4Cr7Wmg83f8vP4x9bZ19qzw0dU5PfD7IUnvVco7uwkPem8pn
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:`CN`
State or Province Name (full name) []:`BeiJing`
Locality Name (eg, city) [Default City]:`beijing`
Organization Name (eg, company) [Default Company Ltd]:`kingsoft`
Organizational Unit Name (eg, section) []:`kingsoft`
Common Name (eg, your name or your server's hostname) []:`vm-01`
Email Address []:`gaohongyu@kingsoft.com`
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:`12345678`
An optional company name []:`回车`
# ls
~ server.csr server.key
# cat server.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICADCCAWkCAQAwgY4xCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAw
DgYDVQQHDAdiZWlqaW5nMREwDwYDVQQKDAhraW5nc29mdDERMA8GA1UECwwIa2lu
Z3NvZnQxDjAMBgNVBAMMBXZtLTAxMSUwIwYJKoZIhvcNAQkBFhZnYW9ob25neXVA
a2luZ3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCic/v6n5yd
8fZE1ibpfH0ZrtesEE8iwp008sGYQh3Zr4t23/jZWs1vScv79Pz09uXGW3Bq7HaX
CdNMMun7hf2S5LCQhSCb+9d1mZMQ+EF17NYkm+mI/+hoT48x9TIOcOMMvUTB/gxx
Idmh0ah1ZUDEQJC3oqokmApvrycA23FKFwIDAQABoDEwFgYJKoZIhvcNAQkHMQkM
BzEzMTQyNTgwFwYJKoZIhvcNAQkCMQoMCGtpbmdzb2Z0MA0GCSqGSIb3DQEBCwUA
A4GBAHtJ3qTe5cpqiSJVi8nJqBvumrAJJSVvlE8/0FnP+cmrUUvWFpHnJ2KWDu5J
XqZynUjBjw8nXsxs62s+Z2DuMqWByRhVODABX6o/DoQ/5AMHY0prmwn1CgQOINeQ
WTXKsVFFuK3nVWUp53RheOcl1mN864K5gq7lBxVuV+3U8/88
-----END CERTIFICATE REQUEST-----
# cp server.key server.key.org
# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=beijing/O=kingsoft/OU=kingsoft/CN=vm-01/emailAddress=gaohongyu@kingsoft.com
Getting Private key
Nginx配置https
vim nginx.conf 新增server节点,配置如下:
server {
server_name localhost;
listen 443 ssl;
ssl on;
ssl_certificate /usr/local/nginx/conf/crt/server.crt;
ssl_certificate_key /usr/local/nginx/conf/crt/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
}
重启nginx验证:nginx -s reload
打开浏览器验证:https://IP/index.html