nginx自签名证书配置https

nginx自签名证书配置https

添加nginx官方yum源

cat > /etc/yum.repos.d/nginx.repo << 'EOF'
[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true

[nginx-mainline]
name=nginx mainline repo
baseurl=http://nginx.org/packages/mainline/centos/$releasever/$basearch/
gpgcheck=1
enabled=0
gpgkey=https://nginx.org/keys/nginx_signing.key
module_hotfixes=true
EOF

yum安装最新版本nginx

yum install -y yum-utils
yum-config-manager --enable nginx-mainline

yum install –y nginx

创建证书保存目录

mkdir -p /etc/ssl/nginx/

创建证书配置文件

cat > /etc/ssl/nginx/nginx.mydemo.com.conf <<EOF
[req]
default_bits       = 2048
default_keyfile    = nginx.mydemo.com.key
distinguished_name = req_distinguished_name
req_extensions     = req_ext
x509_extensions    = v3_ca

[req_distinguished_name]
countryName                 = Country Name (2 letter code)
countryName_default         = CN
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = guangdong
localityName                = Locality Name (eg, city)
localityName_default        = shenzhen
organizationName            = Organization Name (eg, company)
organizationName_default    = IT
organizationalUnitName      = organizationalunit
organizationalUnitName_default = Development
commonName                  = Common Name (e.g. server FQDN or YOUR name)
commonName_default          = nginx.mydemo.com
commonName_max              = 64

[req_ext]
subjectAltName = @alt_names

[v3_ca]
subjectAltName = @alt_names

[alt_names]
DNS.1   = nginx.mydemo.com
DNS.2   = 127.0.0.1
EOF

使用OpenSSL创建证书

cd /etc/ssl/nginx
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx.mydemo.com.key -out nginx.mydemo.com.crt -config nginx.mydemo.com.conf

查看生成的证书

[root@localhost nginx]# ll /etc/ssl/nginx/
total 16
-rw-r--r-- 1 root root  424 Jul 29 22:35 dhparam.pem
-rw-r--r-- 1 root root  970 Jul 29 23:12 nginx.mydemo.com.conf
-rw-r--r-- 1 root root 1298 Jul 29 23:13 nginx.mydemo.com.crt
-rw-r--r-- 1 root root 1704 Jul 29 23:13 nginx.mydemo.com.key

生成dhparam.pem

openssl dhparam -out /etc/ssl/nginx/dhparam.pem 2048

修改nginx配置文件

cat > /etc/nginx/conf.d/default.conf <<EOF
server {
    listen       80;
    server_name nginx.mydemo.com;
    return 301 https://$server_name$request_uri;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page  404              /404.html;

    # redirect server error pages to the static page /50x.html
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

server {
    listen              443 ssl http2;
    server_name         nginx.mydemo.com;
    keepalive_timeout   70;
    index               index.php index.html index.htm;
    root                /usr/share/nginx/html/;

    ssl_certificate     /etc/ssl/nginx/nginx.mydemo.com.crt;
    ssl_certificate_key /etc/ssl/nginx/nginx.mydemo.com.key;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers         HIGH:!aNULL:!MD5;
    ssl_dhparam         /etc/ssl/nginx/dhparam.pem;
}
EOF

重启nginx服务

nginx -t
systemctl restart nginx

本地配置hosts解析

C:\Windows\System32\drivers\etc

#添加以下行
192.168.93.63 nginx.mydemo.com

导入nginx.mydemo.com.crt证书到chrome,地址栏输入以下内容,选择管理证书,受信任的证书颁发机构导入:

chrome://settings/security

配置chrome信任本地证书,地址栏输入以下内容

chrome://flags/#allow-insecure-localhost

浏览器访问验证:
nginx自签名证书配置https_第1张图片

你可能感兴趣的:(Linux)