centos lnmp环境配置ssl证书支持https访问
2016-07-09 08:56
549 查看
注意事项:
1、nginx如default.conf配置出错 虽然可重启 但是访问确是失败
2 、在一个http中可以启动多个server,而在一个server中,可以有多个location配置
3、server's hostname处需填写正确的域名或ip地址
4、防火墙需开启443端口
1、查看是否已经安装 ssl 组件
[root@S019875 ~]# nginx -V
nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-debug --add-module=/builddir/build/BUILD/nginx-1.6.2/modsecurity-2.8.0/nginx/modsecurity --add-module=/builddir/build/BUILD/nginx-1.6.2/ngx_cache_purge-2.1 --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E
如果已经有了 http_ssl_module 则表示已经安装.若没有, 则要重新编译一安装 nginx
2、生成 key 新建个ssl模块
<span style="color:#333333;">[root@S019875 ~]# cd /etc/nginx/
[root@S019875 nginx]# mkdir ssl
[root@S019875 nginx]#cd ssl
[root@localhost ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..........................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:</span><span style="color:#ff0000;">abcd</span><span style="color:#333333;">
Verifying - Enter pass phrase for server.key:</span><span style="color:#ff0000;">abcd</span><span style="color:#333333;">
#两次密码需一样 否则提示
Verify failure
User interface error
140324809713480:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382:</span>
3、生成证书
[root@localhost conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:abcd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:chaoyang
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:<span style="color:#ff0000;">192.168.10.111</span>
Email Address []:sunyu@test.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1qazxsw23edc
An optional company name []:testcomp
[root@localhost conf]# cp server.key server.key.org
[root@localhost conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:abcd
writing RSA key
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=beijing/L=chaoyang/O=easymobi/OU=web/CN=sunyu/emailAddress=sunyu@easymobi.cn
Getting Private key
4.配置 nginx 配置443端口,这里是直接把server配置复制一份,然后修改红色部分
<span style="color:#333333;">server {
</span><span style="color:#ff0000;"> listen 443;</span><span style="color:#333333;">
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /var/www/html;
index index.php index.html index.htm;
# example
#ModSecurityEnabled on;
#ModSecurityConfig /etc/nginx/modsecurity.conf;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1; #}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
</span><span style="color:#ff0000;">ssl on;
ssl_certificate //etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;</span><span style="color:#333333;">
}</span>
5、重启nginx和php-fpm
service nginx restart
service php-fpm restart
然后使用https访问
参考:http://blog.sina.com.cn/s/blog_5f54f0be0101b2gh.html
1、nginx如default.conf配置出错 虽然可重启 但是访问确是失败
2 、在一个http中可以启动多个server,而在一个server中,可以有多个location配置
3、server's hostname处需填写正确的域名或ip地址
4、防火墙需开启443端口
1、查看是否已经安装 ssl 组件
[root@S019875 ~]# nginx -V
nginx version: nginx/1.6.2
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --pid-path=/var/run/nginx.pid --lock-path=/var/lock/subsys/nginx --user=nginx --group=nginx --with-file-aio --with-ipv6 --with-http_ssl_module --with-http_spdy_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_image_filter_module --with-http_geoip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-http_perl_module --with-mail --with-mail_ssl_module --with-pcre --with-debug --add-module=/builddir/build/BUILD/nginx-1.6.2/modsecurity-2.8.0/nginx/modsecurity --add-module=/builddir/build/BUILD/nginx-1.6.2/ngx_cache_purge-2.1 --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=-Wl,-E
如果已经有了 http_ssl_module 则表示已经安装.若没有, 则要重新编译一安装 nginx
2、生成 key 新建个ssl模块
<span style="color:#333333;">[root@S019875 ~]# cd /etc/nginx/
[root@S019875 nginx]# mkdir ssl
[root@S019875 nginx]#cd ssl
[root@localhost ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..........................................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:</span><span style="color:#ff0000;">abcd</span><span style="color:#333333;">
Verifying - Enter pass phrase for server.key:</span><span style="color:#ff0000;">abcd</span><span style="color:#333333;">
#两次密码需一样 否则提示
Verify failure
User interface error
140324809713480:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382:</span>
3、生成证书
[root@localhost conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:abcd
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
State or Province Name (full name) [Berkshire]:beijing
Locality Name (eg, city) [Newbury]:chaoyang
Organization Name (eg, company) [My Company Ltd]:test
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:<span style="color:#ff0000;">192.168.10.111</span>
Email Address []:sunyu@test.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:1qazxsw23edc
An optional company name []:testcomp
[root@localhost conf]# cp server.key server.key.org
[root@localhost conf]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:abcd
writing RSA key
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=beijing/L=chaoyang/O=easymobi/OU=web/CN=sunyu/emailAddress=sunyu@easymobi.cn
Getting Private key
4.配置 nginx 配置443端口,这里是直接把server配置复制一份,然后修改红色部分
<span style="color:#333333;">server {
</span><span style="color:#ff0000;"> listen 443;</span><span style="color:#333333;">
server_name _;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /var/www/html;
index index.php index.html index.htm;
# example
#ModSecurityEnabled on;
#ModSecurityConfig /etc/nginx/modsecurity.conf;
}
error_page 404 /404.html;
location = /404.html {
root /var/www/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /var/www/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1; #}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
root /var/www/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /var/www/html$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
</span><span style="color:#ff0000;">ssl on;
ssl_certificate //etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;</span><span style="color:#333333;">
}</span>
5、重启nginx和php-fpm
service nginx restart
service php-fpm restart
然后使用https访问
参考:http://blog.sina.com.cn/s/blog_5f54f0be0101b2gh.html
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 对于block的理解及用法的注意
- 一个小笔记(2):Socket网络编程
- tcp短连接TIME_WAIT问题解决方法大全
- 从问题看本质: 研究TCP close_wait的内幕
- tcp_tw_recycle和tcp_timestamps的文章汇总
- Linux4.4 TCP源码分析
- Tcp_tw_reuse、tcp_tw_recycle 使用场景及注意事项
- 套接字和文件描述符
- net.ipv4.tcp_tw_recycle
- HTTP协议学习
- HDU 3338 Kakuro Extension 网络流
- 网卡指示灯亮,但网络显示拔出的解决办法
- 网络爬虫1
- 网络爬虫
- Android(让你的安卓模拟器链接网络)
- 计算机网络作业合辑
- AsyncHttp+gson解析
- HttpClient+Gson解析中国天气网的天气预报信息
- CNN 卷积神经网络--kernel、偏置值导数
- TCP超时与重传