华子目录
- 使用nginx的http_ssl模块建立加密传输的网站
- 查看
- 配置文件
- ssl配置文件的主要参数
- 实验:搭建nginx+ssl加密认证的web服务器
使用nginx的http_ssl模块建立加密传输的网站
查看
[root@server ~]# nginx -V
#查看是否有--with-http_ssl_module模块,如果没有则需要安装mod_ssl
配置文件
- 证书文件:
/...../xxx.crt - 私钥文件:
/..../xxx.key
ssl配置文件的主要参数
[root@server ~]# vim /etc/nginx/nginx.conf #主配置文件https段,默认为注释,可以取消注释
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2; #监听443端口
# listen [::]:443 ssl http2;
# server_name _; #域名
# root /usr/share/nginx/html; #默认网页目录
#
# ssl_certificate "/etc/pki/nginx/server.crt"; #证书文件路径
# ssl_certificate_key "/etc/pki/nginx/private/server.key"; #私钥文件路径
#
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers PROFILE=SYSTEM;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
实验:搭建nginx+ssl加密认证的web服务器
- 准备工作
[root@server ~]# setenforce 0[root@server ~]# systemctl stop firewalld[root@server ~]# systemctl disable firewalld[root@server ~]# yum install nginx mod_ssl -y[root@server ~]# systemctl start nginx[root@server ~]# systemctl enable nginx
- 创建网页目录
[root@server ~]# mkdir -p /www/sxhkt#使用mobaxterm上传网页数据到/www/sxhkt
- 制作证书
#在/etc/nginx目录下制作证书所用的私钥文件sxhkt.key
[root@server ~]# openssl genrsa -aes128 2048 > /etc/nginx/sxhkt.key
Enter PEM pass phrase: #输入加密私钥的密码12345
Verifying - Enter PEM pass phrase: #再输一遍#制作证书 (证书需要用CA的私钥进行加密,所以在制作证书之前先制作私钥,证书中含有网站的公钥)
[root@server ~]# openssl req -utf8 -new -key /etc/nginx/sxhkt.key -x509 -days 365 -out /etc/nginx/sxhkt.crt
Enter pass phrase for /etc/nginx/sxhkt.key: #输入加密私钥的密码12345
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:86 #国家代码
State or Province Name (full name) []:shanxi #省份
Locality Name (eg, city) [Default City]:xian #城市
Organization Name (eg, company) [Default Company Ltd]:openlab #公司
Organizational Unit Name (eg, section) []:rhce #部门
Common Name (eg, your name or your server's hostname) []:server #主机名
Email Address []:and@qq.com #邮箱#在加载ssl支持的nginx并使用上述私钥时必须去除设置的私钥密码12345
[root@server ~]# cd /etc/nginx
[root@server nginx]# cp sxhkt.key sxhkt.key.org
[root@server nginx]# openssl rsa -in sxhkt.key.org -out sxhkt.key
Enter pass phrase for sxhkt.key.org: #输入加密私钥的密码12345
writing RSA key
- 修改配置文件
[root@server ~]# vim /etc/nginx/nginx.confserver {listen 80;listen [::]:80;server_name 192.168.80.129;return 301 https://192.168.80.129; #输入http跳转到https# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;error_page 404 /404.html;location = /404.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}# Settings for a TLS enabled server.server {listen 443 ssl http2;listen [::]:443 ssl http2;server_name 192.168.80.129;root /www/sxhkt;ssl_certificate "/etc/nginx/sxhkt.crt";ssl_certificate_key "/etc/nginx/sxhkt.key";# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;error_page 404 /404.html;location = /40x.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
- 重启服务,测试
[root@server ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@server ~]# systemctl restart nginx#在Windows端浏览器上输入https://192.168.80.129
