nginx https应用
程序员文章站
2022-07-13 21:20:47
...
Nginx https应用
nginx SSL模块安装
nginx直接编译是不带ssl模块的,需要将ssl模块参数添加,才会将其编译进nginx
直接编译
[[email protected] nginx-1.19.4]# ./configure
Configuration summary
+ using system PCRE library
+ OpenSSL library is not used
+ using system zlib library
带ssl模块编译
[[email protected] nginx-1.19.4]# ./configure --with-http_ssl_module
Configuration summary
+ using system PCRE library
+ using system OpenSSL library
+ using system zlib library
可以看到对应将会多出using system OpenSSL library
注意
如果报了没找到OpenSSL 可以直接yum安装一下,或者官网下载后安装
yum install openssl openssl-devel
重装nginx 带SSL模块
[[email protected] nginx-1.19.4]# make
[[email protected] nginx-1.19.4]# make install
如果已经安装了nginx则不需要执行make install
检查安装情况
[[email protected] sbin]# ./nginx -V
nginx version: nginx/1.19.4
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_ssl_module
nginx https配置
准备https证书
[[email protected] keystore]# ll
total 32
-rw-r--r-- 1 root root 582 Jan 4 16:35 client1.cer
-rw-r--r-- 1 root root 1244 Dec 31 14:12 client.crt
-rw-r--r-- 1 root root 1781 Dec 31 14:01 client.key
-rw-r--r-- 1 root root 1694 Jan 4 16:34 client.p12
-rw-r--r-- 1 root root 2067 Jan 4 16:36 resin.keystore
-rw-r--r-- 1 root root 686 Jan 4 16:36 server.cer
-rw-r--r-- 1 root root 1266 Dec 31 14:00 server.crt
-rw-r--r-- 1 root root 1706 Dec 31 13:59 server.key
将对应的服务端证书、秘钥上传服务器
nginx配置
server {
#服务监听端口
listen 443 ssl;
#用来指定IP地址或域名,多个域名之间用空格分开。
server_name 120.92.151.50;
#ssl on;
ssl_certificate /usr/local/nginx/conf/keystore/client.crt; #SSL证书
ssl_certificate_key /usr/local/nginx/conf/keystore/client.key; #SSL**
}
修改端口号为443 注意后需要加ssl
[[email protected] sbin]# ./nginx
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /usr/local/nginx/conf/nginx.conf:32
Enter PEM pass phrase:
ssl on 已经不再使用了
配置完成后重启nginx
[[email protected] sbin]# ./nginx -s reload
Enter PEM pass phrase:
[[email protected] sbin]#
重启时会需要输入对应的秘钥库密码
常用配置
简单配置
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
}
带参数的配置
worker_processes auto;
http {
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 443 ssl;
server_name www.example.com;
keepalive_timeout 70;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
...
http与https同时使用
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
多域名绑定
server {
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
...
}
server {
listen 443 ssl;
server_name www.example.org;
ssl_certificate www.example.org.crt;
...
}
多域名公用证书
ssl_certificate common.crt;
ssl_certificate_key common.key;
server {
listen 443 ssl;
server_name www.example.com;
...
}
server {
listen 443 ssl;
server_name www.example.org;
...
}
官网详细配置
上一篇: 升级https总结
下一篇: express应用HTTPS总结
推荐阅读
-
怎么解决压缩文件不能打开显示无法找到应用程序的问题
-
将整个桌面应用挪动到别的磁盘以防系统出问题文件灰飞烟灭
-
Nginx实现静态资源的反向代理实例
-
使用Docker部署 spring-boot maven应用的方法
-
nginx proxy_pass指令’/’使用注意事项
-
Nginx if语句加正则表达式实现字符串截断
-
安卓模拟器猩猩助手如何打字以便玩游戏或应用
-
Nginx开启stub_status模块配置方法
-
Nginx负载均衡的4种方案配置实例
-
CentOS 7.x编译安装Nginx1.10.3+MySQL5.7.16+PHP5.2 5.3 5.4 5.5 5.6 7.0 7.1多版本全能环境