環境要求
nginx 編譯需要 --with-http_ssl_module
./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_flv_module --with-http_stub_status_module --with-http_gzip_static_module --http-client-body-temp-path=/usr/local/nginx/client/ --http-proxy-temp-path=/usr/local/nginx/proxy/ --http-fastcgi-temp-path=/usr/local/nginx/fcgi/ --http-uwsgi-temp-path=/usr/local/nginx/uwsgi --http-scgi-temp-path=/usr/local/nginx/scgi --with-pcre
./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
生成密鑰對
mkdir -p /usr/local/nginx/conf/key/
cd /usr/local/nginx/conf/key/
openssl req -new -newkey rsa:2048 -sha256 -nodes -out test_com.csr -keyout test_com.key -subj "/C=CN/ST=shanghai/L=shanghai/O=shizi./OU=Web Security/CN=*.test.com"
但是這麼做並不安全,默認是 SHA-1 形式,而現在主流的方案應該都避免 SHA-1,爲了確保更強的安全性,我們可以採取迪菲-赫爾曼密鑰交換
cd /usr/local/nginx/conf/key/
openssl dhparam -out dhparam.pem 2048
/usr/local/nginx/conf/key/目錄下會生成 test.csr test.key dhparam.pem
test.key爲私鑰
test.csr 爲公鑰需要提交給證書頒發機構
測試無法提交證書頒發機構按下面自己給自己頒發
1.openssl genrsa -des3 -out test.key 1024 生成一個RSA密鑰
2.openssl req -new -key test.key -out test.csr 生成一個證書請求
3.openssl rsa -in test.key -out test_nopass.key 拷貝一個不需要輸入密碼的密鑰文件
4.openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt 自己簽發證書
編輯配置文件
cat /usr/local/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.test.com;
rewrite ^(.*)$ https://www.test.com$1 permanent;
}
server {
listen 443;
ssl on;
ssl_certificate key/test.crt;
ssl_certificate_key key/test_nopass.key;
ssl_prefer_server_ciphers on;
ssl_dhparam key/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name www.test.com;
root /usr/local/nginx/html;
index index.php index.html index.htm;
location ~* \.php$ {
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
}
}
}
重啓 nginx 完成
http://www.open-open.com/lib/view/open1433390156947.html
http://www.linuxidc.com/Linux/2013-08/88271.htm