nginx服务器上配置https访问
1. 配置nginx服务器
[root@iig conf]# cat nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.iigrowing.cn;
location / {
root www.iigrowing.cn;
index index.html index.htm;
}
}
}
2. 生成证书
进入证书的目录cd /etc/pki/tls/certs/,创建证书然后设置密码
make rsyslog.key
[root@iig certs]# openssl rsa -in rsyslog.key -out rsyslog.key
Enter pass phrase for rsyslog.key:
writing RSA key
[root@iig certs]#
3. 创建证书rsyslog.csr
在创建的时候需要注意要的是要写对计算机名字,可以用hostname来查看。
[root@iig certs]# hostname
iig.local.ftp
[root@iig certs]# make rsyslog.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key rsyslog.key -out rsyslog.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [GB]:GB
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:beijing
Organization Name (eg, company) [My Company Ltd]:www.iigrowing.cn
Organizational Unit Name (eg, section) []:iigrowing
Common Name (eg, your name or your server’s hostname) []:iig.local.ftp
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
4. 生成证书机构用于颁发公钥
因为我们是在本地生成的没有在互联网CA证书机构颁发证书,因此在访问的时候会弹出浏览器警告,我们添加到证书信任机构就可以了。
[root@iig certs]#
[root@iig certs]# openssl x509 -in rsyslog.csr -req -signkey rsyslog.key -days 365 -out rsyslog.crt
Signature ok
subject=/C=GB/ST=beijing/L=beijing/O=www.iigrowing.cn/OU=iigrowing/CN=iig.local.ftp
Getting Private key
[root@iig certs]#
5. 修改nginx配置文件
修改配置文件,需要注意的是我们把默认的ssl模块复制到我们创建的虚拟目录里面即可,默认的不要打开,然后修改路径即可。如图是完成的配置。记得重启服务。
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.iigrowing.cn;
location / {
root www.iigrowing.cn;
index index.html index.htm;
}
}
server {
listen 443;
server_name www.iigrowing.cn;
ssl on;
ssl_certificate /etc/pki/tls/certs/rsyslog.crt;
ssl_certificate_key /etc/pki/tls/certs/rsyslog.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root www.iigrowing.cn;
index index.html index.htm;
}
}
}
6. 测试https协议
在如下目录, 创建a.txt文件, 内容如下图
打开浏览器, 输入如下地址: https://www.iigrowing.cn/a.txt
显示结果
本文由 CentOS中文站 - 专注Linux技术 作者:centos 发表,其版权均为 CentOS中文站 - 专注Linux技术 所有,文章内容系作者个人观点,不代表 CentOS中文站 - 专注Linux技术 对观点赞同或支持。如需转载,请注明文章来源。
