openssl生成https证书及nginx https配置

一、nginx根目录下创建 cert 目录,用于存放https证书

创建目录:mkdir cert
进入cert目录:cd cert

二、openssl生成https证书证书

下载openssl,并安装、配置环境变量
 
https证书生成
    1、生成key:(生成rsa私钥,des3算法,openssl格式,2048位强度)
    openssl genrsa -des3 -out server_192.168.1.1.key 2048
     
    2、通过以下方法生成没有密码的key:(是否可以省略这步待验证)
    openssl rsa -in server_192.168.1.1.key -out server_192.168.1.1.key
 
    3、生成CA的crt:(用来签署下面的server.csr文件)
    openssl req -new -x509 -key server_192.168.1.1.key -out ca.crt -days 3650
 
    4、生成csr:
    openssl req -new -key server_192.168.1.1.key -out server.csr
 
    5、生成crt:
    openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server_192.168.1.1.key -CAcreateserial -out server_192.168.1.1.crt

三、nginx配置https

该配置http和https共存
server {
    listen 443 default_server; #配置 default_server,多server时默认进入的端口
    server_name 192.168.1.1; #真实IP
     
    error_page 497  https://$server_name:443$request_uri; #正常错误反馈转换到https
    ssl on;
    ssl_certificate ./cert/server_192.168.1.1.crt;
    ssl_certificate_key ./cert/server_192.168.1.1.key;
    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;
    #ssl_session_timeout  30m;#默认时间只有5分钟,如果5分钟就挂掉未免太短了
     
    设置nginx日志按端口+天生成日志文件
    #charset koi8-r;
    if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
        set $year $1;
        set $month $2;
        set $day $3;
    }
    access_log  /data/logs/nginx/443.nginx.access-$year-$month-$day.log  main;
     
    location /test1 {
        proxy_redirect http:// $scheme://; #需配置,做https跳转
        #proxy_redirect http:// https://;
        proxy_pass http://127.0.0.1:80/test1 ;
    }
     
    location /test2 {
        client_max_body_size 10m;
        proxy_set_header Host $host:$server_port;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_redirect http:// $scheme://; #做https跳转
        #proxy_redirect http:// https://;
        proxy_pass http://127.0.0.1:18081/test2;
        #proxy_redirect default;
    }
}

参考文档:

        https://blog.51cto.com/u_481814/1835713

        https://www.cnblogs.com/caidingyu/p/11904277.html

你可能感兴趣的:(nginx,https,运维)