一)默认情况下ssl模块并未被安装,如果使用该模块则需要在编译nginx的时指定--with-http_ssl_module参数。
wget http://nginx.org/download/nginx-1.3.16.tar.gz
tar -xf nginx-1.3.16.tar.gz -C /usr/local/
cd /usr/local/nginx-1.3.16/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre
make
make install
http://192.168.254.103/ 测试
cd /usr/loca/nginx/conf 进入到想创建证书和私钥的目录
[root@nginx conf]# openssl genrsa -des3 -out server.key 1024 创建服务器私钥,输入一个口令
Enter pass phrase for server.key:123456
Verifying - Enter pass phrase for server.key:123456
[root@nginx conf]# openssl req -new -key server.key -out server.csr 创建签名请求的证书(CSR)
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:ChangPing
Organization Name (eg, company) [Default Company Ltd]:Leay
Organizational Unit Name (eg, section) []:Linux
Common Name (eg, your name or your server‘s hostname) []:ca.Leay.com
Email Address []:caadmin@Leay.com
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:Leay
在加载ssl支持的nginx并使用上述私钥时除去必须的口令:
[root@nginx conf]# cp server.key server.key.org
[root@nginx conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:123456
writing RSA key
最后标记证书使用上述私钥的CSR:
[root@nginx conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BeiJing/L=ChangPing/O=Leay/OU=Linux/CN=ca.Leay.com/emailAddress=caadmin@Leay.com
Getting Private key
修改nginx的配置文件,让其包含新标记的证书和私钥
server {
listen 80;
server_name www.bill.com;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
# HTTPS server
#
server {
listen 443;
server_name www.bill.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
重启nginx
[root@nginx conf]# /usr/local/nginx/sbin/nginx -s reload
物理机访问的时候需要在本地的hosts文件中添加域名的解析
http://www.bill.com 访问的是80端口
通过https://www.bill.com访问的是443端口
本文出自 “落叶飘远方” 博客,请务必保留此出处http://shunzi.blog.51cto.com/8289655/1536055
nginx搭建https单向证书,布布扣,bubuko.com
原文地址:http://shunzi.blog.51cto.com/8289655/1536055