给nginx部署https及自签名ssl证书

一、生成服务器root证书


openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr
    #Country Name (2 letter code) [XX]:---> CN
    #Country Name (2 letter code) [XX]:---> CN
    #State or Province Name (full name) []:---> Shanghai
    #Locality Name (eg, city) [Default City]:---> Shanghai
    #Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany
    #Organizational Unit Name (eg, section) []:---> xou
    #Common Name (eg, your name or your server's hostname) []:---> kahn.com
    #Email Address []:---> 37213690@qq.com
    #A challenge password []:---> 回车
    #An optional company name []:---> 回车
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt

二、生成SSL服务器证书


openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
    #Country Name (2 letter code) [XX]:---> CN
    #State or Province Name (full name) []:---> Shanghai
    #Locality Name (eg, city) [Default City]:---> Shanghai
    #Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany
    #Organizational Unit Name (eg, section) []:---> xou
    #Common Name (eg, your name or your server's hostname) []:---> kahn.com
    #Email Address []:---> 37213690@qq.com
    #A challenge password []:---> 回车
    #An optional company name []:---> 回车
openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 3650

#会生成如下6个文件，其中server.*用于nginx
root.crt root.csr root.key root.srl server.crt server.csr server.key

三、部署证书到nginx

下面是一个测试通过的nginx.conf内容


 
user  nginx nginx;
worker_processes  1;
 
#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;
 
#pid        logs/nginx.pid;
 
events {
    worker_connections  1024;
}
 
http {
    include       mime.types;
    default_type  application/octet-stream;
 
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
 
    #access_log  logs/access.log  main;
 
    sendfile        on;
    #tcp_nopush     on;
 
    #keepalive_timeout  0;
    keepalive_timeout  65;
 
    #gzip  on;
 
    server {
        listen       80;
        server_name  localhost;
 
        #charset koi8-r;
 
        #access_log  logs/host.access.log  main;
 
        location / {
            root   html;
            index  index.html index.htm;
        }
 
        #error_page  404              /404.html;
 
        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
 
    # HTTPS server
    server {
        listen       443 ssl;
        server_name  kahn.com;
 
        ssl_certificate      ../ssl-certs/server.crt;
        ssl_certificate_key  ../ssl-certs/server.key;
 
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
 
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
 
        location / {
           alias /data/www/;
           index index.html index.htm;
       }
    }
    include ../conf.d/*.conf;
}

主要看 # HTTPS server
server {
listen 443 ssl;
server_name x179.com;及以下内容。

值的注意的是，开启https是在http{}区域内部，并且和其他server{}同级。

四、验证ssl证书

openssl s_client -connect kahn.com:443

相关阅读:
从TF-IDF 到BM25, BM25+，一文彻底理解文本相关度
线程池底层原理详解与源码分析（补充部分---ScheduledThreadPoolExecutor类分析）
Spring Boot、Nacos配置文件的优先级
C：strcpy和strncpy的陷阱
内江科技杂志内江科技杂志社内江科技编辑部2024年第13期目录
【Flink实战】Flink对接Kafka Connetor使用docker部署kafka
Unity实现简易太阳系
常识——虚拟机安装centos7与联网
win10专业版驱动开发
【Docker】用Dockerfile制作个人的镜像文件

原文地址：https://blog.csdn.net/xoofly/article/details/136368960