nginx https ssl 設置受信任證書[原創]
1. 安裝nginx 支持ssl模塊
http://nginx.org/en/docs/configure.html
yum -y install openssh openssh-devel (http_ssl_module 模塊依賴openssh) ./configure --sbin-path=/usr/local/nginx/nginx --conf-path=/usr/local/nginx/nginx.conf --pid-path=/usr/local/nginx/nginx.pid --with-http_ssl_module --with-pcre=../pcre-8.38 --with-zlib=../zlib-1.2.8
2. 配置nginx
http://nginx.org/en/docs/http/configuring_https_servers.html
server { listen 443 ssl; server_name www.example.com; ssl_certificate www.example.com.crt; ssl_certificate_key www.example.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; ... }
3.生成本地證書
#!/bin/sh # create self-signed server certificate: read -p "Enter your domain [www.example.com]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 1024 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" echo "}"
在當前目錄下會創建出4個文件:
- www.test.com.crt:自簽名的證書
- www.test.com.csr:證書的請求
- www.test.com.key:不帶口令的Key
- www.test.com.origin.key:帶口令的Key
Web服務器需要把www.test.com.crt發給瀏覽器驗證,然后用www.test.com.key解密瀏覽器發送的數據,剩下兩個文件不需要上傳到Web服務器上。
以Nginx為例,需要在server {...}中配置:
server {
...
ssl on;
ssl_certificate /etc/nginx/ssl/www.test.com.crt;
ssl_certificate_key /etc/nginx/ssl/www.test.com.key;
}
如果一切順利,打開瀏覽器,就可以通過HTTPS訪問網站。第一次訪問時會出現警告(因為我們的自簽名證書不被瀏覽器信任),把證書通過瀏覽器導入到系統(Windows使用IE導入,Mac使用Safari導入)並設置為“受信任”,以后該電腦訪問網站就可以安全地連接Web服務器了:
server { listen 443; server_name www.xxx.com; index index.html index.htm index.php default.html default.htm default.php; root /var/www; include yb.conf; #error_page 404 /404.html; location ~ [^/]\.php(/|$) { # comment try_files $uri =404; to enable pathinfo try_files $uri =404; fastcgi_pass unix:/tmp/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf; #include pathinfo.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } access_log /var/wwwlogs/www.xxx.com.log access; ssl on; ssl_certificate /var/www/conf/xxx_com.crt; ssl_certificate_key /var/www/conf/server.key; } server { listen 80; server_name xxx.com www.xxx.com; rewrite ^(.*) https://$server_name$1 permanent; }
4. 證書怎樣永久有效,第一種買商業授權,幾百刀一年,第二種免費的,時間短
https://www.startssl.com/ 去這個網站注冊賬號,然后校驗你要生成的域名的證書
點擊下一步,最后完成后,將證書下載到本地,
解壓后, .crt 就是官方提供的證書了,將其配置到 你的 nginx[根據你用的服務器而定] 上就可以了,
如果全站需要 https,則 需要 將80的所有請求 重定向到 443端口上即可。
