nginx使用https

1. 安装openssl

apt update
apt install openssl

2. 生成证书

1. CA证书

• 创建私钥

openssl genrsa -out ca-key.pem 1024

• 创建csr证书请求

openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=CA"

• 生成crt证书

openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650

2. 服务器端证书

• 创建服务器端私钥

openssl genrsa -out server-key.pem 1024

• 创建服务器端csr证书

openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=*.fish-test.com"

• 生成服务器端crt证书

openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

3. 客户端证书

• 创建客户端私钥

openssl genrsa -out client-key.pem 1024

• 创建客户端csr证书

openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=dong"

• 生成客户端crt证书

openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

3. nginx使用https

我这里使用到两个服务端证书server-cert.pem和server-key.pem
放在文件夹/opt/nginx/ssl下
全局搜索443，定位到文件/etc/nginx/sites-available/default

修改文件

# 以下两行默认被注释了，取消注释
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# 新增以下两行，证书文件需要自己生成
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;

这样子nginx就支持https服务了，在需要的server调用即可

原来的http，配置文件如下

server{
    listen 20006 ;
    server_name _;
    location / {
        root /opt/item/dist;
        index index.html;
        error_page 404 /index.html; 
    }
}

修改为https，配置文件如下

server{
    listen 20006 ;
    listen 443 ssl;
    ssl on;
    ssl_certificate /opt/nginx/ssl/server-cert.pem;
    ssl_certificate_key /opt/nginx/ssl/server-key.pem;
    server_name _;
    location / {
        root /opt/item/dist;
        index index.html;
        error_page 404 /index.html; 
    }
}