|
|
1、制作ssl证书
! S ?% U8 Q; Y3 r6 ]
0 N h/ N$ e( H. ]
2 K, ~! H- ^, r! F* M* r
) e8 `* _* O. a5 ?" T& g% ? w4 J# cd /etc/pki/tls/certs) S# [8 Y b+ j* x( g9 E
# make server.key
( s* c' ~! \( [1 L0 `9 |umask 77 ; \6 [9 M) X& X+ ^1 \" T& o* @
/usr/bin/openssl genrsa -aes128 2048 > server.key
$ l# g0 |/ e/ ~4 g3 DGenerating RSA private key, 2048 bit long modulus
% j4 W, s, Q# E# P# E u) [..." x; Q; D9 ~) U+ R3 [' L$ G
...1 I6 ~% T: B+ p1 \- \8 q' G
e is 65537 (0x10001)+ R' t. a( M8 _& `3 {: o- c
Enter pass phrase:# 输入密码
+ U& @9 p. y8 k3 Q3 |3 h; \/ q5 \! j, RVerifying - Enter pass phrase:#确认
$ f2 _# D K- |
( F0 \/ g5 ], V* r1 b1 t- p5 d# 从private key 中删除密码
3 H0 M0 E8 S7 D8 Z# openssl rsa -in server.key -out server.key
( {; O/ K/ {) z2 r2 fEnter pass phrase for server.key:# input passphrase
* t6 Q; ]2 u. Q: ?6 k$ h. fwriting RSA key N+ k7 S' S6 \9 {; D% V
9 z/ c- f b7 a5 o
# make server.csr
& z$ j% r4 e' R [umask 77 ; \' D; \. A+ d# o! D* _* I, Q2 ]
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
0 a/ ~6 x) C! YYou are about to be asked to enter information that will be incorporated
2 R1 S: l/ j$ Jinto your certificate request.7 Y: v; D `" ?6 H6 Y2 z
What you are about to enter is what is called a Distinguished Name or a DN.0 i0 I" U3 C" c5 [
There are quite a few fields but you can leave some blank
3 g. Y& r, P) b: eFor some fields there will be a default value,# b6 d% h# y, b2 W
If you enter '.', the field will be left blank.6 h+ S4 N0 ]0 D0 K& ?* w7 ^' x
-----
9 [7 X4 l: t y5 S' @6 WCountry Name (2 letter code) [XX]:CN# 国家
2 S/ ^: ^& Q8 yState or Province Name (full name) []:shanghai # 省
8 E! I; r! \, b$ o eLocality Name (eg, city) [Default City]: shanghai # 市8 `$ g+ E' g0 ^* X3 h/ @
Organization Name (eg, company) [Default Company Ltd]:openstack # 公司
! Z, F/ e( c: b% WOrganizational Unit Name (eg, section) []:Server World # 部门
- d4 e3 X1 _. m X e) X0 BCommon Name (eg, your name or your server's hostname) []:www.srv.world # 主机名- y1 U# @5 q2 g( l' E4 q
Email Address []:xxx@srv.world # 邮箱0 o/ V# M# x" S- T- I
Please enter the following 'extra' attributes
( w+ [2 c' K7 n. D1 Cto be sent with your certificate request
2 @6 S [5 T" f4 ]. @A challenge password []:#回车2 Q- J+ t, ^( S/ E2 k
An optional company name []:# Enter: E7 u" y0 \- A+ w
9 m/ b9 P" K: C* ^: L: G
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
: {2 o7 W7 l0 j- k# ^- nSignature ok: B! R$ m9 |; M2 ^
subject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com
, J9 m9 r% _- o) n2 _8 A9 kGetting Private key5 s' o' L; }) D) p: `# y
3 {# ?% z( a6 `" _/ _
2、修改配置文件 /etc/nginx/nginx.conf r- c# `: S1 v
4 a( Y1 {2 V }# x& c, o
6 g k# \: @3 O9 O3 `4 R. f
/ V3 [* x, a' s9 i3 p/ x2 F: a* }( j# 在"server" 章节加入
' i/ w' V: u# M8 l( g* F server {! m' W/ i X/ Q( Z% ?/ U3 O4 U+ ]
listen 80 default_server;
/ r. k) c- b9 |$ q, Q) k8 a, a listen [::]:80 default_server;5 C& ~' x) v+ W
listen 443 ssl;
; W$ i) s+ d1 ]' s" u" ^ server_name www.srv.world;
+ ~5 ]* D- _8 o2 z, G' u root /usr/share/nginx/html;
. W/ d3 S' m+ @) W$ E# D) W# F9 w+ d7 S+ d7 `- {% W: Y
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ g" I5 N1 J# I ssl_prefer_server_ciphers on;
9 x! q* _4 x# f5 o ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;9 B. y- V( |7 m e: R
ssl_certificate /etc/pki/tls/certs/server.crt; K# r. @) N& L
ssl_certificate_key /etc/pki/tls/certs/server.key;
4 ?3 i+ u; D3 H7 ?, j5 x# Y( d! T+ v4、重启服务
1 M; O6 ]6 u8 r4 c: N1 U0 w
- ], U9 E7 q; C2 z8 k0 x' I1 p3 ~: y' v4 e- `5 t+ t. h
: J1 |6 t X2 `4 f9 o8 W
# systemctl restart nginx
: C) ~: K5 k) \& D
9 q+ P1 G$ q( J4 S; a. ^配置防火墙
. y) W) K% s5 d3 ~: k8 e
; J1 K" R- q. C' ^! @" D
$ X$ u( M, K; _& {: L4 [1 V8 S& q1 v5 Y# L* E$ T/ u$ Z& I% o
# firewall-cmd --add-service=https --permanent & p8 u: {3 U' {5 w
# firewall-cmd --reload
7 h1 G! I0 x/ M; L
4 ~* y3 k, p) F! j" a" z5 o |
|
发表于 2018-9-26 10:19:07