nginx配置https访问

上一期我们详细讲解了配置文件,但是遗留了一个小问题就是如何使用https访问nginx的网页!这一期我们用“简短”时间来讲解如何配置https服务!

其实和httpd配置有点类似,但是可能简单一些因为配置https也在主配置文件中定义,不过在配置相关https之前首先还是需要使用openssl来配置相关密钥和证书:

openssl配置相关证书:

[root@localhost ~] cd /etc/pki/CA #首先进入openssl专门放置CA目录
[root@localhost CA] touch index.txt
[root@localhost CA] echo 01 > serial
[root@localhost CA] (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.............................++
....................................................................................................................................................................................................++
e is 65537 (0x10001)
[root@localhost CA] openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:cookiesinn
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:172.16.1.30
Email Address []:12345@admin.com

在上述命令中首先我们创建了一个给根证书的私钥,随后通过私钥来创建证书。我在之前的openssl的博客中都写过了,这一期重点不是这个我就简略写写。

[root@localhost ssl] (umask 077;openssl genrsa -out /etc/nginx/ssl/nginx.key 4096)
Generating RSA private key, 4096 bit long modulus
.......................................................................................++
...............++
e is 65537 (0x10001)
[root@localhost ssl] openssl req -new -key /etc/nginx/ssl/nginx.key -days 3650 -out /etc/nginx/ssl/nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:cookiesinn
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:172.16.1.30
Email Address []:12345@admin.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

上面的是在服务器端进行操作,不过我的CA服务器和nginx是同一主机所以不用将未签署的证书发送给CA服务器了!创建服务器端证书和CA服务器过程一样都是先创建私钥随后通过私钥创建证书。

[root@localhost ssl] openssl ca -in /etc/nginx/ssl/nginx.csr -out /etc/nginx/ssl/nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
 Serial Number: 1 (0x1)
 Validity
 Not Before: Nov 7 09:12:45 2016 GMT
 Not After : Nov 5 09:12:45 2026 GMT
 Subject:
 countryName = CN
 stateOrProvinceName = shanghai
 organizationName = cookiesinn
 organizationalUnitName = IT
 commonName = 172.16.1.30
 emailAddress = 12345@admin.com
 X509v3 extensions:
 X509v3 Basic Constraints:
 CA:FALSE
 Netscape Comment:
 OpenSSL Generated Certificate
 X509v3 Subject Key Identifier:
 D8:0F:C2:4A:D7:3E:15:09:3E:08:8B:A5:81:B0:17:B9:83:5C:9F:7D
 X509v3 Authority Key Identifier:
 keyid:AA:6F:EE:CD:AB:BC:C0:99:FB:43:6F:F4:38:DC:29:04:09:75:D9:CA

Certificate is to be certified until Nov 5 09:12:45 2026 GMT (3650 days)
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

这样就算把证书什么的都创建OK了!接下来开始配置nginx的配置文件!


配置nginx支持https协议:

首先打开nginx.conf然后查看我下面的配置:

server{  #重新定义一个虚拟主机
listen 443 ssl; #设置监听端口
server_name XXXXXX; #设置主机名
ssl on; #开启ssl功能
ssl_certificate /etc/nginx/ssl/nginx.crt; #设置服务器证书的位置
ssl_certificate_key /etc/nginx/ssl/nginx.key; #设置服务器私钥的位置
root “/var/www”;
index index.php index.html;

location ~ \.php$ { #如果有php页面的也需要定义
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}

}

随后配置完毕配置文件别忘了使用 nginx -s reload重读配置文件

使用https访问新设置的网站:

nginx05

这边我没有安装证书所以显示这个,如果不让游览器显示连接不安全直接将CA的证书装上就行了!

nginx06

显示成功啦,那么nginx的相关配置就这样结束了。

Comments

Leave a Reply

Your email address will not be published. Name and email are required