閱讀本文前,請看下我寫的Nginx安裝部署(三步走)
瞭解下目錄位置,1分鐘就能看懂看完
一:開啓SSL模式
1、查看目前nginx是否開啓SSL
/usr/local/nginx/sbin/nginx -V
configure arguments:後面沒有配置參數,未開啓ssl
2、到nginx源碼包配置
cd /usr/local/src/nginx-1.10.2/
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
發現報錯如下圖
報錯內容
./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.
由此可知,該主機未安裝OpenSSL
安裝OpenSSL
yum -y install openssl openssl-devel
再次執行
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
不報錯了,問題迎刃而解
配置完成後,執行make命令
make
注意:make執行完了之後先別 make install,否則就是覆蓋安裝
3、備份之前sbin下的腳本
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
4、先停止nginx
/usr/local/nginx/sbin/nginx -s stop
5、覆蓋原有nginx腳本
進入nginx源碼包
cd /usr/local/src/nginx-1.10.2
覆蓋
cp ./objs/nginx /usr/local/nginx/sbin/
6、安裝部署
cd /usr/local/src/nginx-1.10.2
make install
configure arguments中也有ssl的配置了,至此,ssl開啓完畢
啓動nginx即可
/usr/local/nginx/sbin/nginx
二:創建SSL證書
在第一步中開啓了ssl模式後進行操作
cd /usr/local/nginx
mkdir ssl
cd ssl/
1、使用openssl生成證書
創建根證書CA
(1)生成CA私鑰
openssl genrsa -out local.key 2048
執行如下圖
(2)生成CA證書請求
openssl req -new -key local.key -out local.csr
執行如下圖
(3)生成CA根證書
openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
執行如下圖
2、根據CA證書創建Server端證書
(1)生成Server私鑰
openssl genrsa -out my_server.key 2048
執行如下圖
(2)生成Server證書請求
openssl req -new -key my_server.key -out my_server.csr
執行如下圖
(3)生成Server證書
openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
執行如下圖
三:nginx.conf Demo
第二步在配置了ssl證書之後進行如下操作
1、編寫一個配置文件demo
vi /usr/local/nginx/conf/nginx.conf
user root;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
#upstream yarn.local {
# server 10.1.236.145:8443/gateway/ocdp/yarn;
#}
server {
listen 443 ssl;
server_name ocdp_host-10-1-236-52;
ssl_certificate /usr/local/nginx/ssl/local.crt;
ssl_certificate_key /usr/local/nginx/ssl/local.key;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $remote_addr;
proxy_pass https://10.1.236.52:8443;
}
}
}
注意上述文件中的兩個ssl配置
ssl_certificate /usr/local/nginx/ssl/local.crt;
ssl_certificate_key /usr/local/nginx/ssl/local.key;
指定好路徑(第二步生成的)
2、重啓nginx
/usr/local/nginx/sbin/nginx -s reload