- 生成私鑰文件:
openssl genrsa -des3 -out server.key 2048 - 去除口令:
mv server.key server.key.back openssl rsa -in server.key.back -out server.key - 創建請求證書:
openssl req -new -key server.key -out server.csr - 生成證書文件:
openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt - 把server.crt和server.key文件複製到Nginx安裝目錄下的 conf\ssl 位置。
- 修改nginx配置文件,示例如下。
server {
listen 80;
server_name www.test.com;
access_log logs/test.access.log main;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 default_server;
listen [::]:443 default_server;
server_name www.test.com;
access_log logs/test-ssl.access.log main;
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
# 協議優化(可選,優化https協議,增強安全性)
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://192.168.0.136;
}
}
重啓Nginx