Nginx配置多個證書

一、安裝

1、創建用戶

/usr/sbin/groupadd www
/usr/sbin/useradd -g www www

2、安裝pcre

tar zxvf pcre-7.9.tar.gz
cd pcre-7.9/
./configure
make && make install

3、安裝openssl

yum install openssl-devel

4、安裝nginx (openssl-1.0.1c 是openssl的源碼文件)

tar zxvf nginx-0.7.61.tar.gz
cd nginx-0.7.61/
./configure --user=www --group=www \
  --prefix=/usr/local/nginx \
  --with-http_stub_status_module \
  --with-http_ssl_module \
  --with-http_gzip_static_module \
  --with-openssl=../openssl-1.0.1c
make && make install

#****必須要保證 nginx -V  TLS SNI support enabled*****#

5、解決啓動時libpcre.so.1找不到的問題

cd /lib
ln -s /lib/libpcre.so.0.0.1 /lib/libpcre.so.1 

二、Nginx指令

啓動：nginx
kill -HUP 住進稱號或進程號文件路徑
nginx -s reload
#注意，修改了配置文件後最好先檢查一下修改過的配置文件是否正 確，以免重啓後Nginx出現錯誤影響服務器穩定運行。判斷Nginx配置是否正確命令如下：
nginx -t -c /usr/nginx/conf/nginx.conf
#或者
/usr/nginx/sbin/nginx -t
#關閉：kill -9 pid
測試配置文件：nginx -t

三、生成證書

openssl req -new  -out server.crs #會生成兩個文件，也可以單獨生成
openssl rsa -in privkey.pem -out server.key
openssl req -new -x509 -key server.key -out server.crt

#****必須要保證 nginx -V  TLS SNI support enabled*****#

四、配置

#配置文件修改

#1、修改80自動提升爲https
server {
        listen       80;
        server_name  localhost;
        #重寫協議
        rewrite  ^/(.*)$  https:$host/$1  redirect;
        location / {
            root   html;
            index  index.html index.htm;
         }
 
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
#2、配置https的反向代理
    # HTTPS server
  server {
        listen       443;
        server_name  www.b.cn;       
        ssl                  on;
        #證書
        ssl_certificate      /data/key/server.crt;
        ssl_certificate_key  /data/key/server.key;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        location / {
            proxy_pass  http://10.228.191.237;        
            proxy_redirect     off;         
            proxy_set_header   Host             $host;          
            proxy_set_header   X-Real-IP        $remote_addr;            
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;            
            client_max_body_size       100m;            
            index  index.html index.htm;
        }
    }
    server {
        listen       443;
        server_name  www.a.cn;       
        ssl                  on;
        ssl_certificate      /data/key/server1.crt;
        ssl_certificate_key  /data/key/server1.key;
        ssl_session_timeout  5m;
        ssl_protocols  SSLv2 SSLv3 TLSv1;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        location / {
            proxy_pass  http://10.228.191.223;       
            proxy_redirect     off;      
            proxy_set_header   Host             $host;             
            proxy_set_header   X-Real-IP        $remote_addr;             
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;           
            client_max_body_size       100m;            
            index  index.html index.htm;
        }
    }