一、安装
1、创建用户
/usr/sbin/groupadd www
/usr/sbin/useradd -g www www
2、安装pcre
tar zxvf pcre-7.9.tar.gz
cd pcre-7.9/
./configure
make && make install
3、安装opensslyum install openssl-devel
4、安装nginx (openssl-1.0.1c 是openssl的源码文件)tar zxvf nginx-0.7.61.tar.gz
cd nginx-0.7.61/
./configure --user=www --group=www \
--prefix=/usr/local/nginx \
--with-http_stub_status_module \
--with-http_ssl_module \
--with-http_gzip_static_module \
--with-openssl=../openssl-1.0.1c
make && make install
#****必须要保证 nginx -V TLS SNI support enabled*****#
cd /lib
ln -s /lib/libpcre.so.0.0.1 /lib/libpcre.so.1
二、Nginx指令
启动:nginxkill -HUP 住进称号或进程号文件路径
nginx -s reload
#注意,修改了配置文件后最好先检查一下修改过的配置文件是否正 确,以免重启后Nginx出现错误影响服务器稳定运行。判断Nginx配置是否正确命令如下:
nginx -t -c /usr/nginx/conf/nginx.conf
#或者
/usr/nginx/sbin/nginx -t
#关闭:kill -9 pid
测试配置文件:nginx -t
三、生成证书
openssl req -new -out server.crs #会生成两个文件,也可以单独生成
openssl rsa -in privkey.pem -out server.key
openssl req -new -x509 -key server.key -out server.crt
#****必须要保证 nginx -V TLS SNI support enabled*****#四、配置
#配置文件修改
#1、修改80自动提升为https
server {
listen 80;
server_name localhost;
#重写协议
rewrite ^/(.*)$ https:$host/$1 redirect;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
#2、配置https的反向代理
# HTTPS server
server {
listen 443;
server_name www.b.cn;
ssl on;
#证书
ssl_certificate /data/key/server.crt;
ssl_certificate_key /data/key/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.228.191.237;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
index index.html index.htm;
}
}
server {
listen 443;
server_name www.a.cn;
ssl on;
ssl_certificate /data/key/server1.crt;
ssl_certificate_key /data/key/server1.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://10.228.191.223;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 100m;
index index.html index.htm;
}
}