推荐阅读:
Nginx配置Https(详细、完整) - 漫思 - 博客园 ()
http {include mime.types;default_type application/octet-stream;sendfile on;keepalive_timeout 65;server {#监听443端口listen 443;#你的域名server_name huiblog.top; ssl on;#ssl证书的pem文件路径ssl_certificate /root/card/huiblog.top.pem;#ssl证书的key文件路径ssl_certificate_key /root/card/huiblog.top.key;location / {proxy_pass http://公网地址:项目端口号;}}server {listen 80;server_name huiblog.top;#将请求转成httpsrewrite ^(.*)$ https://$host$1 permanent;}}
原文:Nginx服务器配置Https证书_不如打代码KK的博客-CSDN博客_nginx配置https证书
1.Nginx安装ssl模块
nginx默认是没有安装ssl模块的。
[root@localhost nginx-1.20.0]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 0623 (Red Hat 4.8.5-44) (GCC)
configure arguments:
安装ssl模块前,请备份好nginx相关文件,默认安装目录是/usr/local/nginx,备份该文件夹。
进入到你的解压缩后的nginx目录,注意这里不是nginx安装目录,是解压缩后的目录
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
1
1.2.重新make
接下来执行
make
#切记不要执行make install,否则会重新安装nginx
1
2
1.3.覆盖旧的nginx可执行文件
上述操作执行完成以后,你的目录下会出现objs文件夹,文件夹内存在nginx可执行文件
[root@localhost objs]# cp nginx /usr/local/nginx/sbin
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y
1
2
1.4.验证是否安装ssl成功
[root@localhost objs]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.20.0
built by gcc 4.8.5 0623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
[root@localhost objs]#
ssl模块安装成功。
2.生成ssl证书
证书可以去阿里云申请免费的证书。我这里演示下如何在本地生成ssl证书。
openssl req -new -x509 -nodes -out server.crt -keyout server.key
Generating a 2048 bit RSA private key
................................................................................................+++
......................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:CS
Organization Name (eg, company) [Default Company Ltd]:HHXD
Organizational Unit Name (eg, section) []:HHXD
Common Name (eg, your name or your server's hostname) []:dbmgr
Email Address []:xxxxxx@
[root@localhost stage]# ll
total 101328
-rw-r--r--. 1 root root 1383 Jan 18 22:08 server.crt
-rw-r--r--. 1 root root 1704 Jan 18 22:08 server.key
[root@localhost stage]#
3.配置证书
修改nginx.conf配置文件
重新加载配置文件完成配置
sbin/nginx -s reload
打开浏览器信任证书
证书示例: cat nginx.conf
server {listen 80;server_name ;rewrite ^(.*)$ https://${server_name}$1 permanent; }server {#listen 80;#listen [::]:80;#listen80;#http端口默认 80listen443 ssl; #https端口默认 443server_name _;#root /usr/share/nginx/html;ssl_certificate cert/.pem; #将domain name.pem替换成您证书的文件名称。ssl_certificate_key cert/.key; #将domain name.key替换成您证书的密钥文件名称。ssl_session_timeout 5m;ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。ssl_prefer_server_ciphers on;# Load configuration files for the default server block.include /etc/nginx/default.d/*.conf;location / {proxy_pass http://127.0.0.1:8000;# root html;#index index.html index.htm;}error_page 404 /404.html;location = /404.html {}error_page 500 502 503 504 /50x.html;location = /50x.html {}}
# ls cert/
.key _nginx.zip .pem
