【nginx】使用nginx部署https协议

一、客户有证书提供

客户有证书的，或者有域名申请了免费证书的，直接根据下面的第5步骤，配置nginx即可。

二、 自己生成证书

1. 安装openssl-Win64 OpenSSL v3.1.1 Light

附下载地址 Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

配置环境变量：

变量名：OPENSSL_HOME

具体路径根据情况配置。

将%OPENSSL_HOME%\bin加入至PATH中。

2.创建root CA私钥

以下ca.key 与 ca.crt的路径需要自行修改

openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt

执行步骤返回如下：

需要填写一些信息

C:\Users\Administrator>openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt
 
Generating a 4096 bit RSA private key
.............................................++
.............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bowo
Organizational Unit Name (eg, section) []:bowo
Common Name (e.g. server FQDN or YOUR name) []:bowo
Email Address []:xxxx@126.com

3. 为服务端（web）生成证书签名请求文件

以下192.168.168.5.key 与192.168.168.5.csr的路径需要自行修改

openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\192.168.168.5.key -out D:\pis-win64\ssl\192.168.168.5.csr

执行步骤返回如下：

需要填写一些信息,且需要注意，本次填写的内容中 Common Name一定要是你要授予证书的FQDN域名或主机名，并且不能与生成root CA设置的Commone Name相同

Generating a 4096 bit RSA private key
....................................................................++
....................................................................++
writing new private key to '192.168.168.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BOWO
Organizational Unit Name (eg, section) []:BOWO
Common Name (e.g. server FQDN or YOUR name) []:192.168.168.5
Email Address []:xxxx@126.com
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:附属属性修改密码，可以不填
An optional company name []:附属属性另一个公司名称，可以不填

4.用步骤2创建的root CA证书给步骤3生成的签名请求进行签名

4.1 先创建一个extfile.cnf文件，文件内容是你要用来访问的IP，即主机IP

文件内容如下：

subjectAltName = IP:192.168.168.5

主机有多个网卡可以用以下配置

subjectAltName = IP:192.168.168.5,IP:10.33.180.100

4.2 执行语句，进行签名

路径需要自行修改

openssl x509 -req -days 365 -in D:\pis-win64\ssl\192.168.168.5.csr -CA D:\pis-win64\ssl\ca.crt -CAkey D:\pis-win64\ssl\ca.key -CAcreateserial -extfile D:\pis-win64\ssl\extfile.cnf -out  D:\pis-win64\ssl\192.168.5.5.crt

执行步骤返回如下：

Signature ok
subject=/C=CN/ST=ShenZhen/L=ShenZhen/O=RANCHER/OU=BOWO/CN=192.168.168.5/emailAddress=xxxx@126.com
Getting CA Private Key

5.配置nginx

将https模块打开，ssl_certificate 和 ssl_certificate_key 配上生成的crt与key即可。

# HTTPS server
    #
    server {
        listen       13901 ssl;
        server_name  192.168.168.5;
 
         
        ssl_certificate      D:/LIMS/pis-win64/ssl/192.168.5.5.crt;
        ssl_certificate_key  D:/LIMS/pis-win64/ssl/192.168.168.5.key;
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
}