nginx添加https协议
- 一、https是什么?
- 二、创建步骤
- 1.安装nginx
- 2.创建证书
- 三、验证
- 四、浏览器访问
- 在windows安装证书
- 总结
nginx 192.168.122.50
一、https是什么?
HTTPS (全称:Hypertext Transfer Protocol Secure ),是以安全为目标的 HTTP 通道,在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性 。
HTTPS 在HTTP 的基础下加入SSL,HTTPS 的安全基础是 SSL,因此加密的详细内容就需要 SSL。 HTTPS 存在不同于 HTTP 的默认端口及一个加密/身份验证层(在 HTTP与 TCP 之间)。这个系统提供了身份验证与加密通讯方法。
SSL(Secure Socket Layer)安全套接层是Netscape公司率先采用的网络安全协议。它是在传输通信协议(TCP/IP)上实现的一种安全协议,采用公开密钥技术。
二、创建步骤
1.安装nginx
mkdir /opt/download
上传openresty-1.21.4.1.tar.gz到/opt/download目录
yum -y install pcre pcre-devel openssl openssl-devel zlib zlib-devel libpcre3-dev libssl-dev perl make build-essential curl libreadline-dev libncurses5-dev
tar -xf openresty-1.21.4.1.tar.gz
cd openresty-1.21.4.1
./configure --prefix=/opt/openresty && gmake && gmake install
ln -s /opt/openresty/nginx /opt/nginx
/bin/cp -r /opt/download/nginx.conf /opt/nginx/conf
mkdir /opt/nginx/conf/conf.d
echo "export PATH=\$PATH:/opt/nginx/sbin" >> ~/.bash_profile
source ~/.bash_profile
2.创建证书
sed -i "s/countryName = match/countryName = optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/stateOrProvinceName = match/stateOrProvinceName = optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/organizationName = match/organizationName = optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/organizationalUnitName = optional/organizationalUnitName = optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/commonName = supplied/commonName = supplied/g" /etc/pki/tls/openssl.cnf
sed -i "s/emailAddress = optional/emailAddress = optional/g" /etc/pki/tls/openssl.cnf
mkdir /opt/.ssl && cd /opt/.ssl
openssl genrsa -out cakey.pem 4096
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3655
以下内容为必填项
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Common Name (eg, your name or your server’s hostname) []:192.168.122.50
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:BJ
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:192.168.122.50
Email Address []:ABC@qq.com
生成私钥
openssl genrsa -out https.key 2048
openssl req -new -key https.key -out https.csr -days 365
在CA主机上签发证书
touch /etc/pki/CA/index.txt
cp cakey.pem /etc/pki/CA/private/cakey.pem
cp cacert.pem /etc/pki/CA/cacert.pem
mkdir -p /etc/pki/CA/newcerts
touch /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo '01'>/etc/pki/CA/serial
openssl ca -in https.csr -out https.crt -days 365
ll /opt/.ssl
cat << EOF >> /opt/nginx/conf/conf.d/ssl.conf
server{
listen 443 ssl;
ssl_certificate /opt/.ssl/https.crt;
ssl_certificate_key /opt/.ssl/https.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
ssl_prefer_server_ciphers on;
location / {
root /opt/html;
index index.html index.htm;
}
}
EOF
nginx -t
三、验证
nginx
netstat -tlnup|grep 443
mkdir /opt/html && cd /opt/html
echo "holle word" > /opt/html/index.html
nginx -s reload
打开谷歌浏览器访问
https://192.168.122.50
wget https://192.168.122.50/index.html
wget https://192.168.122.50/index.html --no-check-certificate
四、浏览器访问
打开IE浏览器访问
https://192.168.122.50
查看/opt/.ssl目录
ll /opt/.ssl
导出cacert.pem证书
sz cacert.pem
在windows安装证书
将cacert.pem 改为cacert.crt
双击cacert.crt
清空IE浏览器缓存 重新打开
https://192.168.122.50
总结
创建证书
openssl genrsa -out cakey.pem 4096
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3655
openssl genrsa -out https.key 2048
openssl req -new -key https.key -out https.csr -days 365
openssl ca -in https.csr -out https.crt -days 365
[root@localhost .ssl]# ll
总用量 24
-rw-r--r--. 1 root root 2049 12月 9 12:16 cacert.pem
-rw-r--r--. 1 root root 3243 12月 9 11:45 cakey.pem
-rw-r--r--. 1 root root 5776 12月 9 13:13 https.crt
-rw-r--r--. 1 root root 1078 12月 9 13:05 https.csr
-rw-r--r--. 1 root root 1679 12月 9 13:04 https.key
https中使用ssl证书
ssl_certificate /opt/.ssl/https.crt;
ssl_certificate_key /opt/.ssl/https.key;
