#1. 安装openssl 和 ssl模块
[root@gj_css_db3 conf]# yum install mod_ssl openssl openssl-devel
一、生成证书
1.首先,进入你想创建证书和私钥的目录,例如:
[root@gj_css_db3 conf]# cd /usr/local/nginx/conf/
2.创建服务器私钥,命令会让你输入一个口令:
[root@gj_css_db3 conf]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
…….++++++
…………++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: XHJC2017
Verifying – Enter pass phrase for server.key: XHCJ2017
3.创建签名请求的证书(CSR):
[root@gj_css_db3 conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:XHCJ
Organizational Unit Name (eg, section) []:abc
Common Name (eg, your name or your server’s hostname) []:172.17.20.124
Email Address []:
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:xhcj123456
An optional company name []:abc
4.在加载SSL支持的Nginx并使用上述私钥时除去必须的口令:
[root@gj_css_db3 conf]# cp server.key server.key.org [root@gj_css_db3 conf]# openssl rsa -in server.key.org -out server.key
二、配置nginx
1.最后标记证书使用上述私钥和CSR:
[root@gj_css_db3 conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BEIJING/L=BEIJING/O=XHCJ/OU=XHCJ/CN=172.17.20.124
Getting Private key
2. 修改Nginx配置文件,让其包含新标记的证书和私钥:
#反向代理
upstream xhcj_server {
ip_hash;
server 172.17.20.121:443;
server 172.17.20.123:443;
}
server {
listen 443 ssl;
server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
ssl_certificate /usr/local/nginx/conf/server.crt;
ssl_certificate_key /usr/local/nginx/conf/server.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://xhcj_server;
#root html;
index index.html index.htm;
#以下是一些反向代理的配置可删除
#proxy_redirect off;
##后端的Web服务器可以通过X-Forwarded-For获取用户真实IP
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
client_max_body_size 10m; #允许客户端请求的最大单文件字节数
client_body_buffer_size 128k; #缓冲区代理缓冲用户端请求的最大字节数
proxy_connect_timeout 300; #nginx跟后端服务器连接超时时间(代理连接超时)
proxy_send_timeout 300; #后端服务器数据回传时间(代理发送超时)
proxy_read_timeout 300; #连接成功后,后端服务器响应时间(代理接收超时)
proxy_buffer_size 4k; #设置代理服务器(nginx)保存用户头信息的缓冲区大小
proxy_buffers 4 32k; #proxy_buffers缓冲区,网页平均在32k以下的话,这样设置
proxy_busy_buffers_size 64k; #高负荷下缓冲大小(proxy_buffers*2)
proxy_temp_file_write_size 64k; #设定缓存文件夹大小,大于这个值,将从upstream服务器传
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|js|css)$ {
root /var/www/html; #本服务器存放静态资源
if (-f $request_filename) {
expires 7d;
break;
}
}
}
3.启动nginx。
[root@gj_css_db3 conf]# /usr/local/nginx/sbin/nginx
4.查看服务是否起来
[root@gj_css_db3 conf]# netstat -nltp | grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 9628/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 9628/nginx