标签:新版本 端口转发 www yunwei ica client ado pen section
nginx配置https访问HTTPS其实是有两部分组成:HTTP + SSL/TLS,也就是在HTTP上又加了一层处理加密信息的模块。服务端和客户端的信息传输都会通过TLS进行加密,所以传输的数据都是加密后的数据
[root@localhost ~]# mkdir /usr/local/nginx-1.12.1/key
[root@localhost ~]# cd /usr/local/nginx-1.12.1/key
[root@localhost key]# openssl genrsa -out server.key 1024
[root@localhost key]# openssl req -new -key server.key -out certreq.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn 所在国家的ISO标准代号
State or Province Name (full name) []:beijing 单位所在地省/自治区/直辖市
Locality Name (eg, city) [Default City]:beijing 单位所在地的市/县/区
Organization Name (eg, company) [Default Company Ltd]:lvdian 单位/机构/企业合法的名称
Organizational Unit Name (eg, section) []:yunwei 部门名称
Common Name (eg, your name or your server's hostname) []:www.long.com
Email Address []:123456@163.com 邮件地址,不必输入,直接回车跳过
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 以下信息不必输入,回车跳过直到命令执行完毕
An optional company name []:
[root@localhost key]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
[root@localhost ~]# /usr/local/nginx-1.12.1/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx-1.12.1 --with-http_stub_status_module --with-http_ssl_module
[root@localhost ~]# cp /usr/local/nginx-1.12.1/sbin/nginx /usr/local/nginx-1.12.1/sbin/nginx.bak
[root@localhost ~]# cd nginx-1.12.1
[root@localhost nginx-1.12.1]# ./configure --user=nginx --group=nginx --prefix=/usr/local/nginx-1.12.1 --with-http_stub_status_module --with-http_ssl_module
[root@localhost nginx-1.12.1]# make
[root@localhost nginx-1.12.1]# cp objs/nginx /usr/local/nginx-1.12.1/sbin/
cp:是否覆盖"/usr/local/nginx-1.12.1/sbin/nginx"? y
[root@localhost ~]# /usr/local/nginx-1.12.1/sbin/nginx -t
nginx: the configuration file /usr/local/nginx-1.12.1/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx-1.12.1/conf/nginx.conf test is successful
[root@localhost ~]# /usr/local/nginx-1.12.1/sbin/nginx -v
nginx version: nginx/1.12.1
[root@localhost ~]# /usr/local/nginx-1.12.1/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=nginx --group=nginx --prefix=/usr/local/nginx-1.12.1 --with-http_stub_status_module --with-http_ssl_module
[root@localhost ~]# vim /usr/local/nginx-1.12.1/conf/nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx-1.12.1/key/certreq.csr;
ssl_certificate_key /usr/local/nginx-1.12.1/key/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
server {
listen 80;
server_name www.long.com;
rewrite ^(.*) https://$server_name$1 permanent;
[root@localhost ~]# /usr/local/nginx-1.12.1/sbin/nginx -s reload
ssl_session_timeout 客户端可以重用会话缓存中ssl参数的过期时间,内网系统默认5分钟太短了,可以设成30m即30分钟甚至4h。
ssl_ciphers选择加密套件,不同的浏览器所支持的套件(和顺序)可能会不同。这里指定的是OpenSSL库能够识别的写法,你可以通过 openssl -v cipher ‘RC4:HIGH:!aNULL:!MD5’(后面是你所指定的套件加密算法) 来看所支持算法。
ssl_prefer_server_ciphers on设置协商加密算法时,优先使用我们服务端的加密套件,而不是客户端浏览器的加密套件。
打开windows的C:\Windows\System32\drivers\etc\hosts文件,添加下面的域名解析 www.long.com
标签:新版本 端口转发 www yunwei ica client ado pen section