nginx使用https

1. 安装openssl

apt update
apt install openssl

2. 生成证书

1. CA证书
  • 创建私钥
openssl genrsa -out ca-key.pem 1024
  • 创建csr证书请求
openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=CA"
  • 生成crt证书
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650
2. 服务器端证书
  • 创建服务器端私钥
openssl genrsa -out server-key.pem 1024
  • 创建服务器端csr证书
openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=*.fish-test.com"
  • 生成服务器端crt证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
3. 客户端证书
  • 创建客户端私钥
openssl genrsa -out client-key.pem 1024
  • 创建客户端csr证书
openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=dong"
  • 生成客户端crt证书
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

3. nginx使用https

我这里使用到两个服务端证书server-cert.pemserver-key.pem
放在文件夹/opt/nginx/ssl
全局搜索443,定位到文件/etc/nginx/sites-available/default

修改文件

# 以下两行默认被注释了,取消注释
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# 新增以下两行,证书文件需要自己生成
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;

这样子nginx就支持https服务了,在需要的server调用即可

原来的http,配置文件如下

server{
    listen 20006 ;
    server_name _;
    location / {
        root /opt/item/dist;
        index index.html;
        error_page 404 /index.html; 
    }
}

修改为https,配置文件如下

server{
    listen 20006 ;
    listen 443 ssl;
    ssl on;
    ssl_certificate /opt/nginx/ssl/server-cert.pem;
    ssl_certificate_key /opt/nginx/ssl/server-key.pem;
    server_name _;
    location / {
        root /opt/item/dist;
        index index.html;
        error_page 404 /index.html; 
    }
}

你可能感兴趣的:(nginx使用https)