【nginx】使用nginx部署https协议

一、客户有证书提供

客户有证书的,或者有域名申请了免费证书的,直接根据下面的第5步骤,配置nginx即可。

二、 自己生成证书

1. 安装openssl-Win64 OpenSSL v3.1.1 Light

附下载地址 Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

配置环境变量:

变量名:OPENSSL_HOME

具体路径根据情况配置。

将%OPENSSL_HOME%\bin加入至PATH中。

2.创建root CA私钥

以下ca.key 与 ca.crt的路径需要自行修改

bash 复制代码
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt

执行步骤返回如下:

需要填写一些信息

bash 复制代码
C:\Users\Administrator>openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt
 
Generating a 4096 bit RSA private key
.............................................++
.............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bowo
Organizational Unit Name (eg, section) []:bowo
Common Name (e.g. server FQDN or YOUR name) []:bowo
Email Address []:xxxx@126.com

3. 为服务端(web)生成证书签名请求文件

以下192.168.168.5.key 与192.168.168.5.csr的路径需要自行修改

bash 复制代码
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\192.168.168.5.key -out D:\pis-win64\ssl\192.168.168.5.csr

执行步骤返回如下:

需要填写一些信息,且需要注意,本次填写的内容中 Common Name一定要是你要授予证书的FQDN域名或主机名,并且不能与生成root CA设置的Commone Name相同

bash 复制代码
Generating a 4096 bit RSA private key
....................................................................++
....................................................................++
writing new private key to '192.168.168.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BOWO
Organizational Unit Name (eg, section) []:BOWO
Common Name (e.g. server FQDN or YOUR name) []:192.168.168.5
Email Address []:xxxx@126.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:附属属性修改密码,可以不填
An optional company name []:附属属性另一个公司名称,可以不填

4.用步骤2创建的root CA证书给步骤3生成的签名请求进行签名

4.1 先创建一个extfile.cnf文件,文件内容是你要用来访问的IP,即主机IP

文件内容如下:

bash 复制代码
subjectAltName = IP:192.168.168.5

主机有多个网卡可以用以下配置

bash 复制代码
subjectAltName = IP:192.168.168.5,IP:10.33.180.100
4.2 执行语句,进行签名

路径需要自行修改

bash 复制代码
openssl x509 -req -days 365 -in D:\pis-win64\ssl\192.168.168.5.csr -CA D:\pis-win64\ssl\ca.crt -CAkey D:\pis-win64\ssl\ca.key -CAcreateserial -extfile D:\pis-win64\ssl\extfile.cnf -out  D:\pis-win64\ssl\192.168.5.5.crt

执行步骤返回如下:

bash 复制代码
Signature ok
subject=/C=CN/ST=ShenZhen/L=ShenZhen/O=RANCHER/OU=BOWO/CN=192.168.168.5/emailAddress=xxxx@126.com
Getting CA Private Key

5.配置nginx

将https模块打开,ssl_certificate 和 ssl_certificate_key 配上生成的crt与key即可。

bash 复制代码
# HTTPS server
    #
    server {
        listen       13901 ssl;
        server_name  192.168.168.5;
 
         
        ssl_certificate      D:/LIMS/pis-win64/ssl/192.168.5.5.crt;
        ssl_certificate_key  D:/LIMS/pis-win64/ssl/192.168.168.5.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
}
相关推荐
渲染101专业云渲染几秒前
川翔云电脑优势总结
服务器·3d·电脑·blender·maya
chian-ocean18 分钟前
Linux 文件缓冲区:高效数据访问的幕后推手
linux·运维·服务器
加油=^_^=20 分钟前
【Linux】进程优先级 | 进程调度(三)
linux·运维·服务器
若云止水29 分钟前
Ubuntu 下 nginx-1.24.0 源码分析 - ngx_init_cycle 函数 - 详解(4)
数据库·nginx·ubuntu
橘子味的茶二29 分钟前
高级系统架构师--第十章:计算机网络
服务器·计算机网络·系统架构
紫菜(Nori)1 小时前
短连接服务器压测-wrk
服务器·压力测试
陆沙1 小时前
deepseek-r1-centos-本地服务器配置方法
linux·服务器·centos
浪九天4 小时前
Nginx系列05(负载均衡、动静分离)
nginx·运维开发·持续部署
Tisfy5 小时前
LeetCode 1472.设计浏览器历史记录:一个数组完成模拟,单次操作均O(1)
服务器·leetcode·浏览器·memcached·题解·模拟·数组