1.SSL模塊
nginx的https協議需要ssl模塊的支持,我們在編譯nginx時使用–with-http_ssl_module參數加入SSL模塊。還需要服務器私鑰,服務器證書,如果是公司對外環境,這個證書需要購買第三方的權威證書,否則用戶體驗得不到保障
2.檢查Nginx的SSL模塊是否安裝
[root@c6 ~]# /usr/local/nginx/sbin/nginx -V nginx version: nginx/1.6.2 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_stub_status_module
3.準備私鑰和證書
3.1創建服務器私鑰
[root@c6 ~]# cd /usr/local/nginx/conf/ [root@c6 conf]# mkdir key [root@c6 conf]# cd key [root@c6 key]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..................++++++ ..............++++++ e is 65537 (0x10001) Enter pass phrase for server.key: ##輸入一個密碼 Verifying - Enter pass phrase for server.key: #再次輸入
3.2簽發證書
[root@c6 key]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SH Locality Name (eg, city) [Default City]:SH Organization Name (eg, company) [Default Company Ltd]:YJS Organizational Unit Name (eg, section) []:SA Common Name (eg, your name or your server's hostname) []:Web Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:root An optional company name []:root
3.3 刪除服務器私鑰口令
[root@c6 key]# cp server.key server.key.ori [root@c6 key]# openssl rsa -in server.key.ori -out server.key Enter pass phrase for server.key.ori: writing RSA key
3.4生成使用簽名請求證書和私鑰生成自簽證書
[root@c6 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CN/ST=SH/L=SH/O=YJS/OU=SA/CN=Web/[email protected] Getting Private key
3.5開啓Nginx SSL
[root@c6 ~]# vim /usr/local/nginx/conf/vhosts/szk.conf server { server_name www.szk.com; listen 80; rewrite ^(.*) https://$server_name$1 permanent; } server { listen 443; server_name www.szk.com; index index.html index.htm index.php; root /data/www; ssl on; ssl_certificate key/server.crt; ssl_certificate_key key/server.key; location ~ \.php$ { include fastcgi_params; #fastcgi_pass unix:/tmp/php-fcgi.sock; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /data/www$fastcgi_script_name; } }
#把80端口的訪問自動跳轉到433端口
[root@c6 ~]# /etc/init.d/nginx restart Stopping Nginx: [ OK ] Starting Nginx: [ OK ] [root@c6 ~]# netstat -tnlup | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1504/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1504/nginx
4.測試
參考http://825536458.blog.51cto.com/4417836/1782847