【nginx】使用nginx部署https协议

一、客户有证书提供

客户有证书的,或者有域名申请了免费证书的,直接根据下面的第5步骤,配置nginx即可。

二、 自己生成证书

1. 安装openssl-Win64 OpenSSL v3.1.1 Light

附下载地址 Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

配置环境变量:

变量名:OPENSSL_HOME

具体路径根据情况配置。

将%OPENSSL_HOME%\bin加入至PATH中。

2.创建root CA私钥

以下ca.key 与 ca.crt的路径需要自行修改

bash 复制代码
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt

执行步骤返回如下:

需要填写一些信息

bash 复制代码
C:\Users\Administrator>openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt
 
Generating a 4096 bit RSA private key
.............................................++
.............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bowo
Organizational Unit Name (eg, section) []:bowo
Common Name (e.g. server FQDN or YOUR name) []:bowo
Email Address []:xxxx@126.com

3. 为服务端(web)生成证书签名请求文件

以下192.168.168.5.key 与192.168.168.5.csr的路径需要自行修改

bash 复制代码
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\192.168.168.5.key -out D:\pis-win64\ssl\192.168.168.5.csr

执行步骤返回如下:

需要填写一些信息,且需要注意,本次填写的内容中 Common Name一定要是你要授予证书的FQDN域名或主机名,并且不能与生成root CA设置的Commone Name相同

bash 复制代码
Generating a 4096 bit RSA private key
....................................................................++
....................................................................++
writing new private key to '192.168.168.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BOWO
Organizational Unit Name (eg, section) []:BOWO
Common Name (e.g. server FQDN or YOUR name) []:192.168.168.5
Email Address []:xxxx@126.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:附属属性修改密码,可以不填
An optional company name []:附属属性另一个公司名称,可以不填

4.用步骤2创建的root CA证书给步骤3生成的签名请求进行签名

4.1 先创建一个extfile.cnf文件,文件内容是你要用来访问的IP,即主机IP

文件内容如下:

bash 复制代码
subjectAltName = IP:192.168.168.5

主机有多个网卡可以用以下配置

bash 复制代码
subjectAltName = IP:192.168.168.5,IP:10.33.180.100
4.2 执行语句,进行签名

路径需要自行修改

bash 复制代码
openssl x509 -req -days 365 -in D:\pis-win64\ssl\192.168.168.5.csr -CA D:\pis-win64\ssl\ca.crt -CAkey D:\pis-win64\ssl\ca.key -CAcreateserial -extfile D:\pis-win64\ssl\extfile.cnf -out  D:\pis-win64\ssl\192.168.5.5.crt

执行步骤返回如下:

bash 复制代码
Signature ok
subject=/C=CN/ST=ShenZhen/L=ShenZhen/O=RANCHER/OU=BOWO/CN=192.168.168.5/emailAddress=xxxx@126.com
Getting CA Private Key

5.配置nginx

将https模块打开,ssl_certificate 和 ssl_certificate_key 配上生成的crt与key即可。

bash 复制代码
# HTTPS server
    #
    server {
        listen       13901 ssl;
        server_name  192.168.168.5;
 
         
        ssl_certificate      D:/LIMS/pis-win64/ssl/192.168.5.5.crt;
        ssl_certificate_key  D:/LIMS/pis-win64/ssl/192.168.168.5.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
}
相关推荐
九天轩辕2 小时前
HTTPS 通信流程
https
Java Fans2 小时前
微信小程序——访问服务器媒体文件的实现步骤
服务器·微信小程序·小程序
yourkin6662 小时前
HTTPS(下)
服务器·网络协议·https
KingDol_MIni2 小时前
Spring Boot 集成 T-io 实现客户端服务器通信
java·服务器·spring boot
fajianchen3 小时前
什么是HTTP/2协议?NGINX如何支持HTTP/2并提升网站性能?
nginx·http
神一样的老师3 小时前
超越云计算:计算连续体中的无服务器函数
服务器
ITPUB-微风3 小时前
美团MTSQL特性解析:技术深度与应用广度的完美结合
java·服务器·开发语言
@#---4 小时前
删除驱动精灵的详细过程
运维·服务器
boy快快长大4 小时前
【Elasticsearch】同一台服务器部署集群
服务器·elasticsearch·jenkins
m0_748248775 小时前
在 Ubuntu 上安装 Nginx 的详细指南
nginx·ubuntu·postgresql