在CentOS7系统上安装nginx配置ssl证书和二级域名解析

在CentOS7系统上安装nginx配置ssl证书和二级域名解析

通过yum安装nginx

安装rpm包

rpm -ivh http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

安装nginx

yum install -y nginx

查看nginx版本

nginx -v

在这里插入图片描述

启动nginx

service nginx start

验证nginx安装是否成功

在浏览器中访问http://localhost,出现如下界面证明安装成功:
在CentOS7系统上安装nginx配置ssl证书和二级域名解析_第1张图片

配置ssl证书开启https访问

刚开时我申请了一个aliyun的ssl免费证书,但是只支持单域名访问,不支持通配符,有效期只有一年到期后还需要重新申请并配置nginx。如果是主域名下面有多个二级域名,使用aliyun申请免费证书需要申请多次,非常麻烦。现在的需求时需要一个支持通配符的域名,并且可以支持自动更新,采用开源项目acme实现。

通过acme安装ssl证书

参照acme wiki

安装acme

进入home目录

cd ~

下载acme

curl  https://get.acme.sh | sh

手动 dns 方式, 手动在域名上添加一条阿里云 txt 解析记录, 验证域名所有权

参照dnsapi

export Ali_Key="阿里云key"
export Ali_Secret="阿里云Secret"
acme.sh --issue --dns dns_ali -d example.com -d *.example.com

copy/安装 证书

我的nginx配置目录是/etc/nginx,存放ssl证书的目录是/etc/nginx/cert/example.com,

acme.sh  --installcert  -d  example.com -d *.example.com   \
        --key-file   /etc/nginx/ssl/example.com.key \
        --fullchain-file /etc/nginx/ssl/fullchain.cer \
        --reloadcmd  "service nginx force-reload"

配置nginx开启https

我的nginx配置文件时/etc/nginx/conf.d/default.conf

server {
    listen       80;
    listen       443 ssl;
    server_name  example.com;

    include /etc/nginx/common/example.com.ssl.conf;

    if ($host = $server_name) {
       return 301 https://www.example.com$1;
    }
    return 403;
}


server {
    listen       80;
    listen       443 ssl;
    server_name  www.example.com;

    include /etc/nginx/common/example.com.ssl.conf;

    index index.htm index.html;
    root /usr/share/nginx/html;

    if ($scheme != 'https') {
        rewrite ^(.*)$  https://$server_name$1 permanent;
    }

}

server {
    listen       80;
    listen       443 ssl;
    server_name  api.example.com;

    include /etc/nginx/common/example.com.ssl.conf;

    location / {
        proxy_pass http://127.0.0.1:8080;
    }

   if ($scheme != 'https') {
        rewrite ^(.*)$  https://$server_name$1 permanent;
   }

}

server {
    listen       80;
    listen       443 ssl;
    server_name  api.example.com;

    include /etc/nginx/common/example.com.ssl.conf;

    location / {
        proxy_pass http://localhost:8088;
    }

   if ($scheme != 'https') {
        rewrite ^(.*)$  https://$server_name$1 permanent;
   }

}

上面中的/etc/nginx/common/example.com.ssl.conf是配置ssl通用配置

ssl_certificate   cert/example.com/fullchain.cer;
ssl_certificate_key  cert/example.com/example.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

你可能感兴趣的:(linux)