一.准备crt文件和key文件(以下为测试文件)
1、首先生成一个key
openssl genrsa -des3 -out ssl.key 2048
2、之后会要求你输入这个key对应的密码,不推荐输入。因为以后要给nginx使用。每次reload nginx配置时候都要你验证这个PAM密码的。
由于生成时候必须输入密码。你可以输入后 再删掉。
mv ssl.key xxx.key
openssl rsa -in xxx.key -out ssl.key rm xxx.key
3、 然后根据这个key文件生成证书请求文件
openssl req -new -key ssl.key -out ssl.csr
4、之后需要键入的信息可以任意
5、最后根据这2个文件生成crt证书文件
openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt
5、存放文件到 /usr/loca/nginx/ssl/
二.配置nginx.conf
user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; upstream tomcat8080_api { server 127.0.0.1:8080 weight=1; } server { listen 80; #http默认访问端口 server_name test.com; #http转https(前提是已经配置nginx ssl证书) rewrite ^(.*)$ https://$host$1 permanent; #重定向到https } # HTTPS server { listen 443; #HTTPS默认访问端口 server_name huituanquan.com; #网站域名 ssl on; #nginx1.5以后不需要配置这一项 ssl_certificate /usr/local/nginx/ssl/ssl.crt; #(证书公钥) ssl_certificate_key /usr/local/nginx/ssl/ssl.key; #(证书私钥) ssl_session_timeout 5m; #ssl_protocols SSLv2 SSLv3 TLSv1; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; location / { proxy_pass http://tomcat8080_api; proxy_redirect default; #设置主机头和客户端真实地址,以便服务器获取客户端真实IP proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } }
注意:
nignx安装模块查看:
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.5 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-28) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
配置SSL证书必须有上面红色的模块!!!!!!