一、安装nginx
nginx必须有"--with-http_ssl_module"模块
查看nginx安装的模块:
root@ecs-7398:/usr/local/nginx# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# ./sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module
二、创建证书
1、生成私钥
root@ecs-7398:~# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# mkdir key
root@ecs-7398:/usr/local/nginx# cd key/
root@ecs-7398:/usr/local/nginx/key# openssl genrsa -des3 -out server.key 2048 #使用ssl生成私钥名为 server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
......+++++
e is 65537 (0x010001)
Enter pass phrase for server.key: #自定义密码:123456
Verifying - Enter pass phrase for server.key: #确认密码:123456
root@ecs-7398:/usr/local/nginx# ls
client_body_temp conf fastcgi_temp html logs proxy_temp sbin scgi_temp server.key uwsgi_temp
root@ecs-7398:/usr/local/nginx/key# cat server.key #查看私钥内容
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4103533ED9B6ECD1
MAhsh46L3TsiCymB5pTA93lw/WZKzX/9iuzgM/OgG7U0cKHWdiLf907/52Ocp80e
bY/FKTADBcrEv2uFuke28WjdN2aQddiJGsP0CDLVKfv/kqEgvYuy2sIcoXcHV8fL
70vfaFuTa5CwxyIbRvfHFSpj39oC76eitx120x+KCkgWDkIaVGG9cP0TfmDnDOSe
fmpmZhqkkkP5dXuuPNItfumHHhZpjXqMr9oGxtENdMyNBrRywC8+NhRhO7iomZeP
tHiQpjQCrD8xkKcYqfKVCOS8KCXeKF1EylbJ89e2ZqgaujuKyC90raHpwga9MUSO
HNOT/U85zwsmqkh4/2Ox7AVLlNiG0+Rxt+IfWJb6xgT21SEfL/2vskNAkj2PN3J+
mpeSvpaKI1BsZ8LrpsqFNR0fDhIg+a5hzfSTlWouZcpePx7vB5qvKAvoSKrGmbDO
GQp4H24cSPAaQI6Wih+AxB8stfTCsBatJ5RwXgYNskumHL8KzpC9/Yj7QrLx3m3I
TBDlpOVU6tUYzMDVYDMGtTUhoPIdfVjaRz8BGWUFp0MM3Sx+rppPul1voSuVve5T
8uba4fqv+KIEQdR/PELB4N+ZgZiFP5HtoZN7mFWN6H/Ygm3GEgNeljiqypYQpZOd
dUIC/vhRsCuylww7Rh8LUtgnVAkJbyuqjA38wypATLKQFI1rwFzI9gCWwyz0SCNQ
tffBpZebLkG+H7GGfrTo+50TLDVetyQctbj2ibytpVKK4xE7oaMSZYqbfqg6OYCp
k2LhlWkKsDf7XhLbo5kP2UUfB7LSzx3JdRmA0Fw3GqEevFJysyJO2w==
-----END RSA PRIVATE KEY-----
root@ecs-7398:/usr/local/nginx/key#
2、生成公钥
root@ecs-7398:/usr/local/nginx/key# openssl req -new -key server.key -out server.csr #基于创建的server.key私钥创建server.csr公钥
Enter pass phrase for server.key: #输入server.key的密码:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN #国家
State or Province Name (full name) [Some-State]:shanghai #省市
Locality Name (eg, city) []:jiading #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bai #组织
Organizational Unit Name (eg, section) []:zr #单位
Common Name (e.g. server FQDN or YOUR name) []:byc #姓名
Email Address []:2123288207@qq.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #密码
An optional company name []:zr #公司
root@ecs-7398:/usr/local/nginx/key#
3、签名生成证书
root@ecs-7398:/usr/local/nginx/key# openssl rsa -in server.key -out server.key #去除server.key认证,避免每次"nginx -t"时出现输入密码的情况
Enter pass phrase for server.key: #密码:123456
writing RSA key
root@ecs-7398:/usr/local/nginx/key#
root@ecs-7398:/usr/local/nginx/key# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#使用私钥和公钥生成server.crt签名证书,-days为3650天 -in指定公钥,-signkey指定私钥,生成的前面证书为server.crt
Signature ok
subject=C = CN, ST = shanghai, L = jiading, O = bai, OU = zr, CN = byc, emailAddress = 2123288207@qq.com
Getting Private key
root@ecs-7398:/usr/local/nginx/key#
三、配置证书并验证
root@ecs-7398:/usr/local/nginx/key# cd ..
root@ecs-7398:/usr/local/nginx# systemctl start nginx #启动Nginx
root@ecs-7398:/usr/local/nginx# vim conf/nginx.conf
#编辑nginx主配置文件将后面server的注释去掉
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/key/server.crt; ##证书路径
ssl_certificate_key /usr/local/nginx/key/server.key; ##证书路径
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/nginx/html/xiaomi;
index index.html index.htm;
}
}
四、测试
root@ecs-7398:/usr/local/nginx# cd
root@ecs-7398:~# ls
nginx-1.20.2 nginx-1.20.2.tar.gz 小米官网.zip
root@ecs-7398:~# unzip 小米官网.zip -d /usr/local/nginx/html/xiaomi
root@ecs-7398:~# ls /usr/local/nginx/html/xiaomi/
css iconfont images index.html
在浏览器访问https//xxx.xxx.xxx.xxx:443