HTTPS是一种加密的HTTP协议,使用HTTPS通信,即使数据包被截获,其他人也无法破译里面的内容。如果公司网站对外提供服务,则需要购买被各大浏览器厂商认可的SSL证书。
笺注:
Nginx的安装可以参考 安装服务器安全狗、网站安全狗(Nginx版)
以下实验里,自己生成一对自定义的SSL证书。
先检测Nginx是否支持SSL
[root@localhost ~]# nginx -V
nginx version: nginx/1.10.0
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-23) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module
防火墙配置:(TCP 443)
iptables -I INPUT -p tcp --dport 443 -j ACCEPT
iptables-save > /etc/sysconfig/iptables
备注:TCP 80端口不需要打开了。
####################
####################
生成一对自定义的SSL证书
[root@localhost ~]# cd /usr/local/nginx/conf/
[root@localhost conf]# openssl genrsa -des3 -out tmp.key
Generating RSA private key, 1024 bit long modulus
......++++++
................++++++
e is 65537 (0x10001)
Enter pass phrase for tmp.key: #输入自定义的密码
Verifying - Enter pass phrase for tmp.key: #重复输入自定义的密码
把tmp.key转换成zhuohua.key:
[root@localhost conf]# openssl rsa -in tmp.key -out zhuohua.key
Enter pass phrase for tmp.key: #输入自定义的密码
writing RSA key
[root@localhost conf]# rm -rf tmp.key
生成CSR文件:
[root@localhost conf]# openssl req -new -key zhuohua.key -out zhuohua.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:zhuohua
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
生成CRT证书文件:
[root@localhost conf]# openssl x509 -req -days 365 -in zhuohua.csr -signkey zhuohua.key -out zhuohua.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd/CN=zhuohua
Getting Private key
生成的密钥对文件:
####################
####################
Nginx基于域名的虚拟主机
[root@localhost ~]# vi /usr/local/nginx/conf/nginx.conf
在文件最后那个结束符 } 上面插入以下命令行:
include vhost/*.conf;
创建存放虚拟主机配置文件的目录:
[root@localhost ~]# mkdir -p /usr/local/nginx/conf/vhost
创建虚拟主机配置文件:(文件权限为 644 )
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
server
{
listen 80;
#listen [::]:80;
server_name zhuohua.store www.zhuohua.store;
index index.html index.htm index.php;
root /wwwroot/zhuohua.store;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /\.
{
deny all;
}
access_log off;
}
创建虚拟主机的站点文件存放目录:
mkdir -p /wwwroot/zhuohua.store
创建虚拟主机的默认首页文件:
echo 'zhuohua.store' > /wwwroot/zhuohua.store/index.html
####################
####################
Nginx基于域名的虚拟主机使用SSL
[root@localhost ~]# vi /usr/local/nginx/conf/vhost/zhuohua.store.conf
加入以下命令行:(记得把listen 80修改为 listen 443 )
ssl on;
ssl_certificate zhuohua.crt;
ssl_certificate_key zhuohua.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
重启Nginx服务:
[root@localhost ~]# service nginx restart
Window客户机访问(在没有DNS服务器解析域名的情况下,可以在hosts文件里绑定)
C:\WINDOWS\system32\drivers\etc
记得设置文件hosts的权限:
测试:
https://www.zhuohua.store/
备注:这是因为此证书是自己制作的,并没有得到浏览器的认可。但不影响访问和加密。
继续访问即可:
相关文章:
Nginx用户验证+更新Nginx版本
Nginx基于域名的虚拟主机/域名重定向/访问控制/防盗链
Nginx反向代理+Tomcat+JDK+SSL
#################################
#################################
亲,学习研究也要劳逸结合哦,来我微店逛逛,买点东西好好犒劳犒劳自己和家人吧^_^^_^
FaSoLa户外便携吊床秋千室内单双人大学生宿舍家用成人儿童睡觉椅
FaSoLa日式餐具创意硅胶分隔菜盘三格饭盘儿童分餐盘早餐盘家用碟
FaSoLa 旅行晾衣架 旅游便携式折叠衣架出差多功能衣挂小撑子晾晒
|