给nginx部署https及自签名ssl证书

一、生成服务器root证书

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr
    #Country Name (2 letter code) [XX]:---> CN
    #Country Name (2 letter code) [XX]:---> CN
    #State or Province Name (full name) []:---> Shanghai
    #Locality Name (eg, city) [Default City]:---> Shanghai
    #Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany
    #Organizational Unit Name (eg, section) []:---> xou
    #Common Name (eg, your name or your server's hostname) []:---> kahn.com
    #Email Address []:---> 37213690@qq.com
    #A challenge password []:---> 回车
    #An optional company name []:---> 回车
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt

二、生成SSL服务器证书

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr
    #Country Name (2 letter code) [XX]:---> CN
    #State or Province Name (full name) []:---> Shanghai
    #Locality Name (eg, city) [Default City]:---> Shanghai
    #Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany
    #Organizational Unit Name (eg, section) []:---> xou
    #Common Name (eg, your name or your server's hostname) []:---> kahn.com
    #Email Address []:---> 37213690@qq.com
    #A challenge password []:---> 回车
    #An optional company name []:---> 回车
openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 3650

#会生成如下6个文件，其中server.*用于nginx

root.crt root.csr root.key root.srl server.crt server.csr server.key

三、部署证书到nginx

下面是一个测试通过的nginx.conf内容

user  nginx nginx;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }

    # HTTPS server
    server {
        listen       443 ssl;
        server_name  kahn.com;

        ssl_certificate      ../ssl-certs/server.crt;
        ssl_certificate_key  ../ssl-certs/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
           alias /data/www/;
           index index.html index.htm;
       }
    }
    include ../conf.d/*.conf;
}

主要看 # HTTPS server

server {

listen 443 ssl;

server_name x179.com;及以下内容。

值的注意的是，开启https是在http{}区域内部，并且和其他server{}同级。

四、验证ssl证书

openssl s_client -connect kahn.com:443