标签:一起 module 私钥 code following 重要 blob ram 自定义
引言随着技术的方法,http传输协议并不能保证数据传输的安全性,随后https技术应运而生,nginx服务器支持https协议,配置的代码也比较难记,记录下以防遗忘。
对称加密:将数据和私钥(随机字符串)通过某种算法混合在一起,除非知道私钥,否则无法解密。
nginx支持https所需的ngx-http_ssl_module在编译时默认是不安装的,需要二次编译安装(一开始就安装了的就不用再编译了)。
查看安装的nginx是否已安装ssl模块
[root@localhost conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ 安装前需要注意一点:重新编译后可能导致之前做的某些修改重置,例如虚拟主机文件被清除,因此最好对重要配置文件先进行备份。
# 切换到你之前安装所使用的nginx软件包内
[root@localhost conf]# cd /usr/local/src/nginx-1.12.2/
[root@localhost nginx-1.12.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@localhost nginx-1.12.2]# make && make install
[root@localhost conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --with-http_ssl_module
[root@localhost ~]# cd /usr/local/nginx/conf
# 创建私钥key文件,必须输入密码,否则无法生成key文件
[root@localhost conf]# openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
...............................................................+++
e is 65537 (0x10001)
Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:[root@localhost conf]# openssl rsa -in tmp.key -out test.key
Enter pass phrase for tmp.key:
writing RSA key
[root@localhost conf]# rm -f tmp.key [root@localhost conf]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZheJiang
Locality Name (eg, city) [Default City]:QuZhou
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server‘s hostname) []:
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 需要使用csr文件与私钥一起生成.crt文件
[root@localhost conf]# openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=ZheJiang/L=QuZhou/O=Default Company Ltd
Getting Private key这样一个自定义创建的数字证书文件就创建成功了
[root@localhost conf]#vim /usr/local/nginx/conf/vhost/ssl.conf
server
{
listen 443;
server_name test.com;
index index.html index.php;
root /data/www/test.com;
ssl on;
# 指定自定义的数字证书
ssl_certificate test.crt;
# 指定对应的key文件
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLS1.1 TLS1.2;
}[root@localhost conf]# mkdir -p /data/www/test.com
[root@localhost conf]# vim /data/www/test.com/index.php
ssl test page.[root@localhost conf]# /usr/local/nginx/sbin/nginx -t
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload
# 查看443端口是否开放
[root@localhost conf]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4953/nginx: master
...标签:一起 module 私钥 code following 重要 blob ram 自定义
原文地址:http://blog.51cto.com/castiel/2060000
