|
|
1、制作ssl证书 q" n9 H, m: [$ ^
( R# o6 x8 N \* J q
Z7 P% |0 V, g- o* {9 W5 D) _# ]# k, E
# cd /etc/pki/tls/certs' _1 p% Y. _/ G' @# f- X
# make server.key9 L, k" n& u4 e% R6 h4 R9 E
umask 77 ; \
6 ]1 M. j+ e. R) O: Q5 Z/usr/bin/openssl genrsa -aes128 2048 > server.key+ \% e5 J3 R; t
Generating RSA private key, 2048 bit long modulus
; e) p0 F3 u% U" J...
3 Z- C& P9 y' I3 Y( d...* ^+ m" ^( u) _0 L
e is 65537 (0x10001) Q, t# U! [7 T7 [5 y! i
Enter pass phrase:# 输入密码" U1 p2 _1 c$ S9 D
Verifying - Enter pass phrase:#确认/ S2 r) K1 G$ m: |6 ^* G4 c1 w
; L- X# N' T6 ~" I: I6 g# 从private key 中删除密码/ w5 \8 P/ L( l3 }2 x4 N+ n# [3 \: U
# openssl rsa -in server.key -out server.key! W: \ O0 V4 s4 r7 S s9 y
Enter pass phrase for server.key:# input passphrase
2 s2 Y3 \; M4 R: V: bwriting RSA key
. @& t9 }7 S& b4 b6 v3 }* d- k9 y
# make server.csr
8 M3 \; f# [, B, w/ J; j+ kumask 77 ; \
: ~0 r/ x( b) _" e3 J0 p. T' j/usr/bin/openssl req -utf8 -new -key server.key -out server.csr D* k' p4 x) C: D6 f! ^8 {
You are about to be asked to enter information that will be incorporated
$ x5 A) F5 O$ V- V9 t3 Pinto your certificate request.
1 x. j: u: X0 K& |6 a A0 oWhat you are about to enter is what is called a Distinguished Name or a DN.9 r5 c5 d+ L U& j4 p
There are quite a few fields but you can leave some blank
6 b5 l/ |5 V$ eFor some fields there will be a default value,2 h3 j) i/ Y. x* \, T7 S# E$ f! O
If you enter '.', the field will be left blank.: u5 C' ~( v! x% E9 c3 T
-----
" x# }- ?. z6 ^6 RCountry Name (2 letter code) [XX]:CN# 国家
* O0 J) _8 A; {8 p% I% o) CState or Province Name (full name) []:shanghai # 省" Y+ H7 {) W* T; I/ ~, P8 Z
Locality Name (eg, city) [Default City]: shanghai # 市
& G) L) o5 i! E1 j% VOrganization Name (eg, company) [Default Company Ltd]:openstack # 公司, A& E) p: h$ w( n4 C
Organizational Unit Name (eg, section) []:Server World # 部门
2 D. z& R3 u. _Common Name (eg, your name or your server's hostname) []:www.srv.world # 主机名4 n0 i* s+ }9 p6 `
Email Address []:xxx@srv.world # 邮箱" K. K: f# ], `
Please enter the following 'extra' attributes
0 P5 }- i- d1 W/ v* \' zto be sent with your certificate request
' c2 \# c3 R: |# G5 n, ~/ b! L- pA challenge password []:#回车9 ~. ]: q! X& t9 B9 Q% t
An optional company name []:# Enter, H' z' V$ i; i& G4 @
+ T+ ^6 U! m: m5 x- {! }# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 36501 ~0 g! y W' l: D5 T* n7 C. r
Signature ok* r8 ?$ D3 ~9 m: v
subject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com Z! i: Z- T( z, |6 y6 i
Getting Private key1 J$ B2 }# \2 O- n) B* q
& e* A( X8 s" i( E; s0 |5 g
2、修改配置文件 /etc/nginx/nginx.conf" f, U0 m, z, c1 b( B
4 _( x+ V% C# d' i1 Q! t" A" z7 H5 ?9 ^0 k
! V: O7 z2 N. i Z# 在"server" 章节加入8 } V2 a( [! ^! X7 Q
server {
2 I1 M$ t7 L2 w7 j" t listen 80 default_server;
+ H( [ |( e2 j9 L4 T listen [::]:80 default_server;
* g" m7 s3 p4 y+ @- s listen 443 ssl;
% ]" b& t W, D server_name www.srv.world;- b, M: m: B; ?; M
root /usr/share/nginx/html;; j, D9 }! o) X; ]$ {
; t% \$ e% i" p# |" i6 D4 ~ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
9 X: @3 ^2 y* g4 J7 N ssl_prefer_server_ciphers on;, v2 S7 E* L& c2 H
ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;. L% P, }1 |* Z7 I
ssl_certificate /etc/pki/tls/certs/server.crt; a) Q% p- k/ }6 h. S+ d- ?. I
ssl_certificate_key /etc/pki/tls/certs/server.key;- o, q7 x5 a v/ p% O
4、重启服务
D9 l. h( i& s( k
7 D. U5 ?5 q- S9 a+ y
8 s, K( _" l! B/ z
: f2 O @1 @% e3 Q+ K$ y# systemctl restart nginx 4 z3 x, i- d/ S. P3 c6 s
6 E0 p! ?/ T J8 ]% h# V! y0 d
配置防火墙# g6 Z. P3 U; O0 }& t& R v
7 n6 Q, S' w; V
: R9 ~6 G- S8 ~# F; I
2 Q& L- W- |6 R- y8 u6 o, R# firewall-cmd --add-service=https --permanent + S" [6 o8 i6 x: g) \/ [
# firewall-cmd --reload
3 I! X' u% p0 @0 ~: {6 Z. Q E% S; e% D
|
|
发表于 2018-9-26 10:19:07