一、安裝
1、創建用戶
/usr/sbin/groupadd www
/usr/sbin/useradd -g www www
2、安裝pcre
tar zxvf pcre-7.9.tar.gz
cd pcre-7.9/
./configure
make && make install
3、安裝opensslyum install openssl-devel
4、安裝nginx (openssl-1.0.1c 是openssl的源碼文件)tar zxvf nginx-0.7.61.tar.gz
cd nginx-0.7.61/
./configure --user=www --group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-openssl=../openssl-1.0.1c
make && make install
#****必須要保證 nginx -V TLS SNI support enabled*****#
cd /lib
ln -s /lib/libpcre.so.0.0.1 /lib/libpcre.so.1
二、Nginx指令
啓動:nginxkill -HUP 住進稱號或進程號文件路徑
nginx -s reload
#注意,修改了配置文件後最好先檢查一下修改過的配置文件是否正 確,以免重啓後Nginx出現錯誤影響服務器穩定運行。判斷Nginx配置是否正確命令如下:
nginx -t -c /usr/nginx/conf/nginx.conf
#或者
/usr/nginx/sbin/nginx -t
#關閉:kill -9 pid
測試配置文件:nginx -t
三、生成證書
openssl req -new -out server.crs #會生成兩個文件,也可以單獨生成
openssl rsa -in privkey.pem -out server.key
openssl req -new -x509 -key server.key -out server.crt
#****必須要保證 nginx -V TLS SNI support enabled*****#四、配置
#配置文件修改
#1、修改80自動提升爲https
server {
listen 80;
server_name localhost;
#重寫協議
rewrite ^/(.*)$ https:$host/$1 redirect;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#2、配置https的反向代理
# HTTPS server
server {
listen 443;
server_name www.b.cn;
ssl on;
#證書
ssl_certificate /data/key/server.crt;
ssl_certificate_key /data/key/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.228.191.237;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
index index.html index.htm;
}
}
server {
listen 443;
server_name www.a.cn;
ssl on;
ssl_certificate /data/key/server1.crt;
ssl_certificate_key /data/key/server1.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.228.191.223;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
index index.html index.htm;
}
}