Nginx设置Https

PS：内部测试使用openssl，生产使用需要购买

一.创建ssl证书

1.1 创建私钥

[root@VM-16-15-centos ~]# cd /usr/local/nginx/
[root@VM-16-15-centos nginx]# mkdir ssl
[root@VM-16-15-centos nginx]# cd ssl/
[root@VM-16-15-centos ssl]# openssl genrsa -des3 -out admin.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
........................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for admin.key:  [123456]
Verifying - Enter pass phrase for admin.key:  [123456]
1
2
3
4
5
6
7
8
9
10

• -des3：使用des3加密
• -out：保存
• 2048：默认选择为2048

1.2 生成CSR(证书签名请求)

[root@VM-16-15-centos ssl]# openssl req -new -key admin.key -out admin.csr
Enter pass phrase for admin.key: [123456]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#正常需要依次输入国家，地区，城市，组织，组织单位，此处为内网用直接全部回车即可；
Country Name (2 letter code) [XX]: 
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

• -new：表示生成一个新证书签署请求

1.3 删除密钥中的密码

[root@VM-16-15-centos ssl]# openssl  rsa -in admin.key -out admin.key 
Enter pass phrase for admin.key: [123456]
writing RSA key
1
2
3

• -in：指定要加密的文件存放路径

1.4 生成自签名证书

[root@VM-16-15-centos ssl]# openssl  x509 -req -days 365 -in admin.csr -signkey admin.key -out admin.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
1
2
3
4

• -509：定义证书格式
• -days：证书的有效期限，单位是day（天），默认是365天
• -signkey：对证书进行自我签名

1.5 生成pem格式公钥

PS：有些服务，需要有pem格式的证书才能正常加载;

[root@VM-16-15-centos ssl]# openssl x509 -in admin.crt  -out admin.pem -outform PEM
[root@VM-16-15-centos ssl]# ls
admin.crt  admin.csr  admin.key  admin.pem
1
2
3

二.修改Nginx配置文件

[root@VM-16-15-centos ~]# cd /usr/local/nginx/conf/
[root@VM-16-15-centos conf]# vim nginx.conf
......
#在配置文件中找到https断了去掉注释指向创建好的ssl证书路径；
  # HTTPS server

    server {

        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /usr/local/nginx/ssl/admin.pem;
        ssl_certificate_key  /usr/local/nginx/ssl/admin.key;

    #    ssl_session_cache    shared:SSL:1m;
    #    ssl_session_timeout  5m;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;
    #    ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm index.php;
        }

        location ~ \.php$ {
           root           html;
            fastcgi_pass   10.0.16.15:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }

......
[root@VM-16-15-centos conf]# systemctl  restart nginx
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

测试访问：