12.20 Nginx配置ssl
Nginx配置ssl目录概要
- vim /usr/local/nginx/conf/vhost/ssl.conf//加入如下内容
server
{
listen 443;
server_name aming.com;
index index.html index.php;
root /data/wwwroot/aming.com;
ssl on;
ssl_certificate aminglinux.crt;
ssl_certificate_key aminglinux.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
}- -t && -s reload //若报错unknown directive “ssl” ,需要重新编译nginx,加上--with-http_ssl_module
- mkdir /data/wwwroot/aming.com
- echo “ssl test page.”>/data/wwwroot/aming.com/index.html
- 编辑hosts,增加127.0.0.1 aming.com
- curl https://aming.com/
Nginx配置ssl
- 在有了公钥和私钥之后,配置nginx
- 生成新的配置文件 vim /usr/local/nginx/conf/vhost/ssl.conf
[root@hf-01 conf]# vim /usr/local/nginx/conf/vhost/ssl.conf
添加以下内容
server
{
listen 443; //监听端口为443
server_name aming.com; //主机名
index index.html index.php;
root /data/wwwroot/aming.com; //root 目录
ssl on; //开启ssl
ssl_certificate gurui.crt; //指定公钥
ssl_certificate_key gurui.key; //指定私钥
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //ssl 的协议
}
保存退出- ssl 的协议,一般情况下,三种协议都配置上
- 创建/data/wwwroot/aming.com目录
[root@hf-01 conf]# mkdir /data/wwwroot/aming.com
[root@hf-01 conf]# - 检查配置文件语法
[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/ssl.conf:7
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
[root@hf-01 conf]# - 报错:
- 因为不知道这个 ssl 配置,在编译nginx的时候,并没有指定支持ssl
[root@hf-01 conf]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
configure arguments: --prefix=/usr/local/nginx
[root@hf-01 conf]# - 解决办法
- 重新编译nginx
- 重新编译nginx
[root@hf-01 conf]# cd /usr/local/src/nginx-1.12.1/
[root@hf-01 nginx-1.12.1]# ./configure --help |grep -i ssl
--with-http_ssl_module enable ngx_http_ssl_module
--with-mail_ssl_module enable ngx_mail_ssl_module
--with-stream_ssl_module enable ngx_stream_ssl_module
--with-stream_ssl_preread_module enable ngx_stream_ssl_preread_module
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
[root@hf-01 nginx-1.12.1]# - 编译的时候需要加上--with-http_ssl_module
- 初始化./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module- 编译make
[root@hf-01 nginx-1.12.1]# make- 然后make install
[root@hf-01 nginx-1.12.1]# make install- 查看nginx的编译参数,会看到增加了--with-http_ssl_module
[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module
[root@hf-01 nginx-1.12.1]# - 检查配置文件语法错误
[root@hf-01 nginx-1.12.1]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@hf-01 nginx-1.12.1]# - 重启nginx
[root@hf-01 nginx-1.12.1]# /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ 确定 ]
[root@hf-01 nginx-1.12.1]# - 查看监听端口,会看到多出一个443端口
[root@hf-01 nginx-1.12.1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1533/master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 5716/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 5716/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1205/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1533/master
tcp6 0 0 :::3306 :::* LISTEN 1576/mysqld
tcp6 0 0 :::22 :::* LISTEN 1205/sshd
[root@hf-01 nginx-1.12.1]# - 切换目录路径,并创建一个测试文件
[root@hf-01 nginx-1.12.1]# cd /data/wwwroot/aming.com/
[root@hf-01 aming.com]# ls
[root@hf-01 aming.com]# vim index.html
This is ssl.
保存退出- 测试,若是直接访问会报400
[root@hf-01 aming.com]# curl -x127.0.0.1:443 https://aming.com/
curl: (56) Received HTTP code 400 from proxy after CONNECT
[root@hf-01 aming.com]# - 在虚拟机中 /etc/写hosts
[root@hf-01 aming.com]# vim /etc/hosts
加入以下内容
127.0.0.1 aming.com- 测试,不指定-x访问
[root@hf-01 aming.com]# curl https://aming.com/
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
[root@hf-01 aming.com]# - 就是说你这个证书被标记为不可信任了,因为这个证书是自己颁发的,实际上是已经配置成功了
- 在windows中的host文件添加,并保存
192.168.74.129 aming.com- 浏览器访问aming.com,会看到加载超时
- 这时查看虚拟机防火墙iptables -nvL,若是防火墙存在,可以直接ipbables -F清空所有规则,若不想清空所有规则可以增加443端口的规则
[root@hf-01 aming.com]# iptables -nvL
[root@hf-01 aming.com]# iptables -F
[root@hf-01 aming.com]# - 这时再来访问aming.com,会提示是否信任证书,选择 是 ,会访问成功
输入图片说明
- 这个就是自己颁发证书,浏览器不被信任的时候,会显示红色 不安全 ,而不是绿色
- 以后若想正常的访问https,可以去沃通买证书
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录