备注:nginx自生成的ssl证书在浏览器访问时会提示此证书不受信用1.安装nginx
nginx必须有"--with-http_ssl_module"模块
查看nginx安装的模块:
[root@master1 key]# nginx -V
nginx version: nginx/1.24.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --with-stream --with-stream_ssl_module --with-http_stub_status_module --with-http_ssl_module2.创建证书
[root@master1 ~]# mkdir key
[root@master1 ~]# cd key
[root@master1 key]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: #输入server.key的密码短语:123456
Verifying - Enter pass phrase for server.key: #正在验证-输入server.key的密码短语:123456
[root@master1 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: #输入server.key的密码短语:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家名称(2个字母代码)
State or Province Name (full name) []:GD #州或省名称(全名)
Locality Name (eg, city) [Default City]:GD #地区名称(如城市)[默认城市]
Organization Name (eg, company) [Default Company Ltd]:SB #组织名称(如公司)[默认有限公司]
Organizational Unit Name (eg, section) []:SB #组织单位名称(如部门)
Common Name (eg, your name or your server's hostname) []:SB #通用名称(例如,您的姓名或服务器的主机名)
Email Address []:1911384822@qq.com #电子邮件地址
Please enter the following 'extra' attributes #请输入以下“额外”属性
to be sent with your certificate request #与您的证书申请一起发送
A challenge password []:123456 #挑战密码[]:
An optional company name []:SB #可选的公司名称[]
去除server.key认证,避免每次"nginx -t"时出现输入密码的情况:
openssl rsa -in server.key -out server.key
[root@master1 key]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=GZ/L=GD/O=SB/OU=SB/CN=SB/emailAddress=1911384822@qq.com
Getting Private key
Enter pass phrase for server.key: #输入server.key的密码短语:123456
[root@master1 key]# ls
server.crt server.csr server.key3.nginx配置SSL证书
nginx的配置文件里面有默认的SSL配置,打开注释就行了
配置实例:
server {
listen 8080 ssl;
server_name localhost;
ssl_certificate /root/key/server.crt; #证书路径
ssl_certificate_key /root/key/server.key; #证书路径
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm index.php;
}验证:https://10.10.10.10:8080
