nginx服务器上配置https访问

Linux就该这么学

1. 配置nginx服务器

[root@iig conf]# cat nginx.conf

worker_processes  1;

events {

worker_connections  1024;

}

http {

include       mime.types;

default_type  application/octet-stream;

sendfile        on;

keepalive_timeout  65;

server {

listen       80;

server_name  www.iigrowing.cn;

location / {

root   www.iigrowing.cn;

index  index.html index.htm;

}

}

}

2. 生成证书

进入证书的目录cd /etc/pki/tls/certs/,创建证书然后设置密码

https安装(2)nginx配置

make  rsyslog.key

https安装(2)nginx配置

[root@iig certs]# openssl rsa -in rsyslog.key -out rsyslog.key

Enter pass phrase for rsyslog.key:

writing RSA key

[root@iig certs]#

3. 创建证书rsyslog.csr

在创建的时候需要注意要的是要写对计算机名字,可以用hostname来查看。

https安装(2)nginx配置

[root@iig certs]# hostname

iig.local.ftp

[root@iig certs]# make rsyslog.csr

umask 77 ; \

/usr/bin/openssl req -utf8 -new -key rsyslog.key -out rsyslog.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [GB]:GB

State or Province Name (full name) [Berkshire]:beijing

Locality Name (eg, city) [Newbury]:beijing

Organization Name (eg, company) [My Company Ltd]:www.iigrowing.cn

Organizational Unit Name (eg, section) []:iigrowing

Common Name (eg, your name or your server’s hostname) []:iig.local.ftp

Email Address []:

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

4. 生成证书机构用于颁发公钥

因为我们是在本地生成的没有在互联网CA证书机构颁发证书,因此在访问的时候会弹出浏览器警告,我们添加到证书信任机构就可以了。

https安装(2)nginx配置

[root@iig certs]#

[root@iig certs]# openssl  x509 -in rsyslog.csr -req -signkey rsyslog.key -days 365 -out rsyslog.crt

Signature ok

subject=/C=GB/ST=beijing/L=beijing/O=www.iigrowing.cn/OU=iigrowing/CN=iig.local.ftp

Getting Private key

[root@iig certs]#

5. 修改nginx配置文件

修改配置文件,需要注意的是我们把默认的ssl模块复制到我们创建的虚拟目录里面即可,默认的不要打开,然后修改路径即可。如图是完成的配置。记得重启服务。

worker_processes  1;

events {

worker_connections  1024;

}

http {

include       mime.types;

default_type  application/octet-stream;

sendfile        on;

keepalive_timeout  65;

server {

listen       80;

server_name  www.iigrowing.cn;

location / {

root   www.iigrowing.cn;

index  index.html index.htm;

}

}

server {

listen       443;

server_name  www.iigrowing.cn;

ssl                  on;

ssl_certificate      /etc/pki/tls/certs/rsyslog.crt;

ssl_certificate_key  /etc/pki/tls/certs/rsyslog.key;

ssl_session_timeout  5m;

ssl_protocols  SSLv2 SSLv3 TLSv1;

ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers   on;

location / {

root   www.iigrowing.cn;

index  index.html index.htm;

}

}

}

6. 测试https协议

在如下目录, 创建a.txt文件, 内容如下图

https安装(2)nginx配置

打开浏览器, 输入如下地址: https://www.iigrowing.cn/a.txt

https安装(2)nginx配置

显示结果

https安装(2)nginx配置

本文由 CentOS中文站 - 专注Linux技术 作者:centos 发表,其版权均为 CentOS中文站 - 专注Linux技术 所有,文章内容系作者个人观点,不代表 CentOS中文站 - 专注Linux技术 对观点赞同或支持。如需转载,请注明文章来源。

相关文章

发表评论

邮箱地址不会被公开。 必填项已用*标注