使用OpenSSL创建CA证书
参考文献:
一些nginx常用的命令:
检查配置文件是否正确:./nginx -t
启动Nginx 命令:./nginx
重启Nginx 命令:./nginx -s reload
停止Nginx 命令: ./nginx -s stop1、安装Nginx过程:
yum install gcc-c++ # 安装gcc
yum install -y pcre pcre-devel # 安装语言兼容正则表达式
yum install -y zlib zlib-devel # 安装zlib
yum install -y openssl openssl-devel # 安装OpenSSL(一个密码库)事先下载好nginx到/usr/local/目录下,可以到 http://nginx.org/en/download.html 官网下载
tar -zxvf nginx-1.19.1 # 解压 我的版本是nginx-1.19.1
cd nginx-1.19.1 # 切换到解压 nginx-1.19.1目录下
./configure # 解析程序
cd /usr/local/nginx/sbin
make # 检查
make install # 安装nginx
./nginx --with-http_ssl_module #运行nginx 加入一个ssl服务的模块到这里如果顺利的话就安装好了,接下来就是配置了,配置文件在/usr/local/nginx/conf/nginx.conf
2、使用OpenSSL创建CA证书
命令如下(其中填一些信息什么的,可以参考网上的,这里不多累赘了,图我贴下面了):
mkdir CA # 单独创建一个文件用来装证书,以免和其他文件混淆我放在/usr/local这个目录下
cd CA # 切换到CA目录下
openssl genrsa -out local.key 2048 # 生成CA私钥
openssl req -new -key local.key -out local.csr # 生成CA证书请求
openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt # 生成CA根证书
openssl genrsa -out my_server.key 2048 # 生成server私匙
openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt # 生成server证书请求
openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt # 生成server证书以上一些执行步骤的图解,可按照自己的实际情况进行填写
You are about to be asked to enter information that will be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:BJ #省份
Locality Name (eg, city) [Default City]:BJ #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test #部门
Common Name (eg, your name or your server's hostname) []:test #主机名
Email Address []:test@test.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:wuminyan #密码
An optional company name []:wuminyan #姓名执行完以上命令文件夹内会有以下文件:
[root@huahua CA]# ll
total 28
-rw-r--r-- 1 root root 1371 Mar 21 16:47 local.crt
-rw-r--r-- 1 root root 1147 Mar 21 16:44 local.csr
-rw-r--r-- 1 root root 1679 Mar 21 16:41 local.key
-rw-r--r-- 1 root root 17 Mar 21 16:52 local.srl
-rw-r--r-- 1 root root 1314 Mar 21 16:52 my_server.crt
-rw-r--r-- 1 root root 1094 Mar 21 16:50 my_server.csr
-rw-r--r-- 1 root root 1679 Mar 21 16:46 my_server.key证书位置:/usr/local/CA/local.crt
私钥位置:/usr/local/CA/local.key
解释一下:
.key通常指私钥
.csr 是Certificate Signing Request的缩写,即证书签名申请,这不是证书,这是要求CA给证书签名的一种正是申请,该申请包含申请证书的实体的公钥及该实体店某些信息。该数据将成为证书的一部分。CSR始终使用它携带的公钥所对应的私钥进行签名。
.crt 即 certificate的缩写,即证书
3、配置文件(/usr/local/nginx/conf/nginx.conf)如下,其中只需要改这一部分即可
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
charset utf-8;
ssl_certificate /usr/local/CA/local.crt; # 证书
ssl_certificate_key /usr/local/CA/local.key; # 私钥
ssl_session_cache shared:SSL:10m; # 会话缓存设置 10M
ssl_session_timeout 10m; # 长连接时间 10 min
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
#假设公网IP:192.168.133.132
# 则所有请求192.168.133.132都会跳转到这个172.0.0.1:8080
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}以下是nginx配置文件(/usr/local/nginx/conf/nginx.conf)全部内容
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
# huahua更改配置
# root html;
#index index.html index.htm;x
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
charset utf-8;
ssl_certificate /usr/local/CA/local.crt;
ssl_certificate_key /usr/local/CA/local.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
}还有最后一步,如果是云服务器,就要到安全组把443端口开启如下
然后访问服务器https://公网IP,如下所示:
我们可以看到这个连接不是安全的连接,因为这是我用自己颁发给自己的证书,那肯定得不到CA公证机构的认可,所以显示是不安全的连接,如果要显示安全的可以到CA机构去申请一个,有的是免费的,我这里就不进行展开了。
我们点继续前往,可以看到如下:
成功连接到服务器,证明nginx可用,使用的也是HTTPS。
3、可能遇到的错误:
未知的错误1:
nginx: [emerg] unknown directive "HTTPS" in /usr/local/nginx/conf/nginx.conf:103
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed解决:把/usr/local/nginx/conf/nginx.conf配置文件种的HTTPS使用 “#” 号注释掉即可
未知的错误2(这是我安装nginx时没有配置好的原因,如果按照上面的步骤,应该不会出现这个问题):
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:104
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed然后看网上的人说是没有安装一个东西,我查看了版本如下
[root@huahua nginx]# ./sbin/nginx -V # 查看版本信息
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
configure arguments:
[root@huahua nginx]#如果nginx是运行状态的话,要先停止(在/usr/local/nginx/sbin目录下执行):
./nginx -s stop如果停止不了或者报错误:
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:104那是因为配置文件暂时错了,为什么这么说呢?
因为配置的SSL是对的,但是由于当前nginx缺少一个模块(with-http_ssl_module),读取不了SSL配置信息,所以是暂时错了,把配置过的SSL都删除或者注释掉,然后再配置回来就可以了
然后到/usr/local/nginx-1.18.0 目录(注意:是安装包的目录)下执行以下命令:
执行停止nginx命令:
./nginx -s stop然后执行添加模板
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module最后运行 make & make install 即可,如果还不行就请试一下重新安装nginx,请参照上面的安装Nginx过程
个人笔记
可以将http请求自动转成https,不知道对不对, 我也没试过哈哈哈!
server {
listen 80;
server_name huiblog.top;
#将http请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
}(完)
本文章为转载内容,我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题,欢迎原作者联系我们进行内容更正或删除文章。
