|
|
1、制作ssl证书) ]# w* R3 a @* Q- f
' p6 D/ l7 R% x6 ^& [/ b6 i! m1 o
4 _& P3 d& D: C4 \4 T% ^6 x, M1 C( p# cd /etc/pki/tls/certs* b) o" N l9 m/ Q
# make server.key; H! D; b4 m) L/ f# y3 E& ]
umask 77 ; \
1 P; K i6 D) N% g9 Z: w9 I/usr/bin/openssl genrsa -aes128 2048 > server.key
/ ~+ E6 u' h0 nGenerating RSA private key, 2048 bit long modulus8 ?0 n9 G* y: |: _5 `9 s
...
$ s: d' D6 K2 @8 u1 e9 {$ p8 N...
8 i: [ k0 N* |8 Y/ [0 D7 D3 fe is 65537 (0x10001)
. ]/ p4 r, t0 c7 b9 }Enter pass phrase:# 输入密码- S, ? r. Q0 q) Y
Verifying - Enter pass phrase:#确认
% l. i' b1 }$ V1 f: T( n6 s1 |5 l9 R4 i$ F( Y
# 从private key 中删除密码
! I8 i. Y0 ^* A# openssl rsa -in server.key -out server.key
$ O2 j0 j. w7 Z/ WEnter pass phrase for server.key:# input passphrase* O/ G4 j9 \1 V d
writing RSA key, x5 ]" M/ E, l) e S
d. e1 t# s6 O P$ N
# make server.csr
% E/ a- R: l% rumask 77 ; \
5 l$ D; b4 d R6 o4 z/ x/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
' I& p9 [. ^, h* i5 X R, dYou are about to be asked to enter information that will be incorporated8 Y8 ?- ~/ D/ a/ q7 P7 z
into your certificate request.; Z2 X* N2 d- M$ ?% V, \( C2 q( D
What you are about to enter is what is called a Distinguished Name or a DN.: h: n; ~) I5 m- ~( k9 L
There are quite a few fields but you can leave some blank0 Q0 I0 x) v/ b D F4 i+ U
For some fields there will be a default value,
0 G) d0 g* P- u6 d6 Z+ pIf you enter '.', the field will be left blank.
4 O+ r0 v" v5 ?. i( L, C& g-----( y. F) S& C. }1 U
Country Name (2 letter code) [XX]:CN# 国家6 X, C" D' \6 V
State or Province Name (full name) []:shanghai # 省7 P$ U: ^3 ~7 e+ ]' c; H5 ]. o
Locality Name (eg, city) [Default City]: shanghai # 市( b2 |& s) V5 h, b- o
Organization Name (eg, company) [Default Company Ltd]:openstack # 公司
* t0 ?+ E% c% y$ h% |+ i+ d; ?Organizational Unit Name (eg, section) []:Server World # 部门
6 D! i8 I0 Z' z8 dCommon Name (eg, your name or your server's hostname) []:www.srv.world # 主机名 T* C4 C( I, D h% s' U
Email Address []:xxx@srv.world # 邮箱
8 X# t5 @7 e/ X# ?# s, u, [Please enter the following 'extra' attributes
, h x0 o2 W$ F9 B7 ^# B# o, C4 qto be sent with your certificate request* y+ S1 j/ R! l3 Q! F% I4 R8 }: x) y
A challenge password []:#回车1 j+ p5 D# R4 @7 t& J( ^2 A
An optional company name []:# Enter6 h y. R! s" b
2 o' J4 {; l( j1 Z; x$ ^5 F; P7 F* z
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650- t, ]* ?) `- r4 P
Signature ok* \0 E9 I7 I3 m
subject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com+ L5 V! o; ^3 V( P
Getting Private key7 E& ?, X* T- H$ ^: D! N
$ s9 _/ N4 B5 ~0 \1 O2、修改配置文件 /etc/nginx/nginx.conf% m K( ?0 r6 S; q- e
: B( _: p3 d* k
; V& d+ U( r* Y. G+ s% r4 I
2 t6 x/ V: E( @# 在"server" 章节加入0 Q! B4 q8 f8 o- d3 b1 w& \
server {2 J; l$ O, C2 a; p$ d
listen 80 default_server;% K! k/ v2 i( z
listen [::]:80 default_server;: p2 L! R% N3 X4 E/ A, i1 o. E/ D
listen 443 ssl;% C: N. H6 ?2 s. C# ^
server_name www.srv.world;
- F; [5 V, u3 P5 i- Q- b/ F% j root /usr/share/nginx/html;; q, b' _; X; L& z
( e5 ]2 b" c4 D0 W8 Y
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;/ y1 c6 B: m0 Q. A2 }! f3 R
ssl_prefer_server_ciphers on;
8 M( A z7 ^4 ]# t ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;, c; y: n" h( ^' r# F
ssl_certificate /etc/pki/tls/certs/server.crt;
9 P3 R0 j# T' l: P ssl_certificate_key /etc/pki/tls/certs/server.key;
0 x W& W" }. a1 P4 j4、重启服务
$ C V+ z3 C: O1 m- Y1 r, Q& g
: H( I3 v+ G6 ~% Y _2 M- s4 }+ d/ h6 l9 R9 O4 ~
5 P" a- |$ J. Y
# systemctl restart nginx : }0 Z1 o( k3 M0 V
9 s) \1 f" b$ z/ J' Y) I/ Z
配置防火墙0 m5 @: _* h4 p2 q: \+ p/ M- T
, i. k! @! L) R3 R0 y: z$ K: a0 D6 S6 `
. c; b$ P9 p6 t2 N: w: h# firewall-cmd --add-service=https --permanent 8 b. ^$ A7 \! P2 h, J& X/ Y( i
# firewall-cmd --reload
. S& I0 J4 p, e0 z j: Y
$ R' C4 P# l5 n9 o. s( t/ Q |
|
发表于 2018-9-26 10:19:07