SSL加密

ssl加密

创建目录

[aaa@qq.com ~]# mkdir /etc/ssl/private 

给目录一个用户组的权限

[aaa@qq.com ~]# chmod 700 /etc/ssl/private 

生成**到文件中

[aaa@qq.com ~]# openssl req -x509 -nodes -days 2 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out  /etc/ssl/certs/nginx-selfsigned.crt 
Generating a 2048 bit RSA private key
...................+++
...............................+++ #加载中...
**writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----**
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
**If you enter '.', the field will be left blank.
-----**
Country Name (2 letter code) [XX]:CN  #输入国家
State or Province Name (full name) []:DaPo #输入省份
Locality Name (eg, city) [Default City]:DAPO #输入城市
Organization Name (eg, company) [Default Company Ltd]:DAPOAJR #输入公司名称
Organizational Unit Name (eg, section) []:asd #输入工作部门
Common Name (eg, your name or your server's hostname) []:2.1.1.121   <<<<----------服务器ip
Email Address []:aaa@qq.com #邮箱

给自签证书加密

[aaa@qq.com ~]# openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048 
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................+..................................................................................................................................................................................+.............................+......................................................................................................................................................................# 加载中 省略..

进去配置文件中配置

[aaa@qq.com ~]# vim /usr/local/nginx/conf/nginx.conf 
user  daemon;
worker_processes  2;
error_log  logs/error.log  info;
pid        logs/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  logs/access.log  main;
    sendfile        on;
    keepalive_timeout  65;
    gzip  on;
    server {
        listen 443 http2 ssl;  # 增加443端口
        #listen       80;  #关掉80端口
        server_name  localhost;
        listen [::]:443 http2 ssl; #增加


        ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
        ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        location / {
            root   /data/abc;
            index  index.php index.html index.htm;


        }
        error_page  404              /404.html;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
        location ~ \.php$ {
            root           /data/abc;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
             fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }
    }
}

：wq 保存

检查语法

[aaa@qq.com ~]# nginx  -t 
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

防火墙规则

[aaa@qq.com ~]# firewall-cmd --permanent --add-port=443/tcp #放行443端口
success   
[aaa@qq.com ~]# firewall-cmd --reload  #防火墙规则
success

重启nginx

[aaa@qq.com ~]# nginx  -s reload 

启动php 74

[aaa@qq.com ~]# systemctl start php74-php-fpm.service 

查看php74是否启动成功

[aaa@qq.com ~]# systemctl status php74-php-fpm.service 
● php74-php-fpm.service - The PHP FastCGI Process Manager
   Loaded: loaded (/usr/lib/systemd/system/php74-php-fpm.service; disabled; vendor preset: disabled)
   Active: active (running) since 日 2020-06-07 14:34:58 CST; 25s ago
Main PID: 17976 (php-fpm)
   Status: "Processes active: 0, idle: 5, Requests: 0, slow: 0, Traffic: 0req/sec"
   CGroup: /system.slice/php74-php-fpm.service
           ├─17976 php-fpm: master process (/etc/opt/remi/php74/php-fpm.conf)
           ├─17977 php-fpm: pool www
           ├─17978 php-fpm: pool www
           ├─17979 php-fpm: pool www
           ├─17980 php-fpm: pool www
           └─17981 php-fpm: pool www

6月 07 14:34:57 abcabc systemd[1]: Starting The PHP FastCGI Process Manager...
6月 07 14:34:58 abcabc systemd[1]: Started The PHP FastCGI Process Manager.

输入：https://2.1.1.120/ 查看

以下为成功的截图


证书有效并且网站可以访问，SSL加密则成功