Nginx支持ssl如何配置

安装nginx

如用源码安装,需要先准备编译环境

yum -y install gcc gcc-c++ ncurses-devel unzip patch perl*

1)pcre安装

下载地址http://sourceforge.net/projects/pcre/files/pcre/8.37/pcre-8.37.tar.gz

[root@localhost local]# tar -zxvf pcre-8.37.tar.gz

[root@localhost local]# cd pcre-8.37

[root@localhost pcre-8.37]# ./configure 

[root@localhost pcre-8.37]# make

[root@localhost pcre-8.37]# make install

2)安装zlib包

下载地址http://zlib.net/zlib-1.2.8.tar.gz

[root@localhost pcre-8.37]# cd /usr/local/

[root@localhost local]# tar -zxvf zlib-1.2.8.tar.gz 

[root@localhost local]# cd zlib-1.2.8

[root@localhost zlib-1.2.8]# ./configure

[root@localhost zlib-1.2.8]# make

[root@localhost zlib-1.2.8]# make install

3)安装ssl

下载地址:http://www.openssl.org/source/

[root@localhost pcre-8.37]# cd /usr/local/ 

[root@localhost local]# tar -zxvf openssl-1.0.2c.tar.gz 

4)安装nginx_upstream_check_module模块 (健康监测)

下载地址:https://github.com/yaoweibin/nginx_upstream_check_module/archive/master.zip

[root@localhost local]# unzip nginx_upstream_check_module-master.zip
##5)安装nginx
下载地址http://nginx.org/download/
[root@localhost zlib-1.2.8]# cd /usr/local/

[root@localhost local]# tar -zxvf nginx-1.9.2.tar.gz 

[root@localhost local]# cd nginx-1.9.2

[root@unicorn01 nginx-1.9.2]# patch -p0 < /usr/local/nginx_upstream_check_module-master/check_1.9.2+.patch 

[root@localhost nginx-1.9.2]# ./configure --prefix=/usr/local/nginx --add-module=/usr/local/nginx_upstream_check_module-master --with-pcre=/usr/local/pcre-8.37 --with-zlib=/usr/local/zlib-1.2.8 --with-http_ssl_module --with-openssl=/usr/local/openssl-1.0.2c

[root@localhost nginx-1.9.2]# make [root@localhost nginx-1.9.2]# make install
##6)配置nginx
```shell
root@localhost local]# cd /usr/local/nginx/conf/

[root@localhost conf]# vim nginx.conf

此处根据项目需求配置负载均衡和请求代理转发

例如:

upstream cluster {

            # simple round-robin

            server 192.168.0.1:80;

            server 192.168.0.2:80;

            check interval=5000 rise=1 fall=3 timeout=4000;

            #check interval=3000 rise=2 fall=5 timeout=1000 type=ssl_hello;

            #check interval=3000 rise=2 fall=5 timeout=1000 type=http;       

            #check_http_send "HEAD / HTTP/1.0\r\n\r\n";       

            #check_http_expect_alive http_2xx http_3xx;       

            } upstream group1 {       

            server 10.51.19.63:80;       

            }       

            server {       

            listen       80;       

            #listen 8602;       

            server_name  localhost;       

#proxy_redirect  http://localhost:80/M00 /M00;

#charset koi8-r;

        #access_log  logs/host.access.log  main;

        #location / {

        #    root   html;

        #    index  index.html index.htm;

        #} location / {

                    proxy_pass [http://cluster](http://cluster/);

        }

        location /nstatus {

        check_status;

        access_log off;

        #allow SOME.IP.ADD.RESS;

        #deny all;

        }

        location /group1/M00 {

            proxy_pass http://group1;

             #health_check match=not_redirect;

             proxy_redirect off;

             proxy_set_header Host $host;

             #proxy_cache cache_one;

             proxy_cache_valid 200 1h;

             # proxy_cache_valid 301 1d;

             # proxy_cache_valid any 1m;

             expires 30d;

             }

location / {

proxy_pass [http://10.51.19.66:15672](http://10.51.19.66:15672/);

}

location /message {

proxy_pass [http://10.51.19.66:8080](http://10.51.19.66:8080/);

}

        location /filews{        

                    proxy_pass [http://10.51.19.63:8081](http://10.51.19.63:8081/);        

        }        

        location /infows{

                 proxy_pass [http://10.51.19.63:8082](http://10.51.19.63:8082/);

        }

        location /cms{

                proxy_pass [http://10.51.19.63:8083](http://10.51.19.63:8083/);

        }

        location /cmsfile{

                 proxy_pass [http://10.51.19.63:8083](http://10.51.19.63:8083/);

        }

        location /cgiws{

                    proxy_pass [http://10.51.19.64:8081](http://10.51.19.64:8081/);

        }

        location /hexinstat{

                 proxy_pass [http://10.51.19.64:8082](http://10.51.19.64:8082/);

        }

       #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {             root   html;         }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80

        #

        #location ~ \.php$ {

                #    proxy_pass   [http://127.0.0.1](http://127.0.0.1/);

        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

        #

        #location ~ \.php$ {

        #    root           html;

        #    fastcgi_pass   127.0.0.1:9000;

        #    fastcgi_index  index.php;

        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        #    include        fastcgi_params;

        #}

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        #location ~ /\.ht {

        #    deny  all;

        #}

        }    

        server {

        listen       443;

        server_name  localhost; ssl on;

        ssl_certificate      server.pem;

        ssl_certificate_key  server.key;

        #ssl_client_certificate ca.crt;

        #ssl_verify_client on;

        #ssl_session_cache    shared:SSL:1m;

        # ssl_session_timeout  5m;

        #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

        ssl_prefer_server_ciphers  on;

        location /cgiws {

                    proxy_pass [http://10.51.19.64:8081/cgiws](http://10.51.19.64:8081/cgiws);

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header SSL_CERT $ssl_client_cert;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

        location /infows {

                   proxy_pass [http://10.51.19.63:8082](http://10.51.19.63:8082/);

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header SSL_CERT $ssl_client_cert;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

        location /group1/M00 {

            proxy_pass http://group1;

             #health_check match=not_redirect;

             proxy_redirect off;

             proxy_set_header Host $host;

             #proxy_cache cache_one;

             proxy_cache_valid 200 1h;

             # proxy_cache_valid 301 1d;

             # proxy_cache_valid any 1m;

             expires 30d;

             }

             #location / {

             #    root   html;

             #    index  index.html index.htm;

             #}

             }

7)启动、重启、停止

[root@localhost conf]# /usr/local/nginx/sbin/nginx

重启:
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s reload

停止:
[root@localhost conf]# /usr/local/nginx/sbin/nginx -s stop

验证配置文件:
[root@localhost conf]# /usr/local/nginx/sbin/nginx -t

8)nginx监控配置

location /status { 

stub_status on; auth_basic "NginxStatus"; 

} 

http://localhost:8083/status

Active connections: 2

server accepts handled requests

3 3 54

Reading: 0 Writing: 1 Waiting: 1

解析:

Active connections //当前 Nginx 正处理的活动连接数。

server accepts handled requests //总共处理了3 个连接 , 成功创建 3 次握手,总共处理了54个请求。

Reading //nginx 读取到客户端的 Header 信息数。

Writing //nginx 返回给客户端的 Header 信息数。

Waiting //开启 keep-alive 的情况下,这个值等于 active - (reading + writing),意思就是 Nginx 已经处理完正在等候下一次请求指令的驻留连接

9)nginx出现异常开启日志分析

log_format main 'remote_user [request" '

'body_bytes_sent "$http_referer" '

'"http_x_forwarded_for"'

'"upstream_status" "request_time"';

access_log  logs/access.log  main;

参数说明示例

$remote_addr 客户端地址 211.28.65.253

$remote_user 客户端用户名称 --

$time_local 访问时间和时区 18/Jul/2012:17:00:01 +0800

$request 请求的URI和HTTP协议 "GET /article-10000.html HTTP/1.1"

$http_host 请求地址,即浏览器中你输入的地址(IP或域名) www.it300.com

192.168.100.100

$status HTTP请求状态 200

$upstream_status upstream状态 200

$body_bytes_sent 发送给客户端文件内容大小 1547

$http_referer url跳转来源 https://www.baidu.com/

ssl_protocol SSL协议版本 TLSv1 upstream_addr 后台upstream的地址,即真正提供服务的主机地址 10.10.10.100:80 upstream_response_time 请求过程中,upstream响应时间 0.002

切记:

1、首先,确保安装了OpenSSL库,并且安装Nginx时使用了–with-http_ssl_module参数。

2、证书拷至nginx目录,配置如下server

3、第一次配置https时必须重启nginx才能生效,不能reload!

你可能感兴趣的:(Nginx支持ssl如何配置)