nginx启用ssl【nginx】

admin

1、制作ssl证书
4 n/ v! J$ G7 J3 }, }: \6 v7 R- d( P
# A) w  ]- s) v' A! a
3 A4 D4 R0 }( g" S7 n
# cd /etc/pki/tls/certs
" E& t* ~+ }! S& v/ z/ C' T# make server.key
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
...
/ ?1 d* t$ l5 W- o& n# P  M& j...
7 N9 R6 q3 U- }! o1 q5 E' F1 T, Xe is 65537 (0x10001)
0 d' B& d6 [) ]* }% B$ |Enter pass phrase:# 输入密码
Verifying - Enter pass phrase:#确认

9 P4 H/ g8 K# l; M7 D* S1 a# 从private key 中删除密码
& A; Q. Q7 R6 v# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:# input passphrase
* W1 b+ E, D# _4 R2 ?% O4 U  Dwriting RSA key
- m4 D- {# E. [( g% G
# make server.csr
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
, J9 T. A; A* n! N) T. O: b; D& Pinto your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
- J( E' E2 @0 Y! B! a# [- zIf you enter '.', the field will be left blank.
; f6 s" k! M$ B, e# u-----
& ]+ e) W' I: B8 q1 z4 _Country Name (2 letter code) [XX]:CN# 国家
% _  S  J7 R# J. JState or Province Name (full name) []:shanghai   # 省
/ V+ G; X5 Z, {# CLocality Name (eg, city) [Default City]: shanghai   # 市
Organization Name (eg, company) [Default Company Ltd]:openstack  # 公司
Organizational Unit Name (eg, section) []:Server World   # 部门
- u2 [/ f! ~* `% xCommon Name (eg, your name or your server's hostname) []:www.srv.world   # 主机名
Email Address []:xxx@srv.world # 邮箱
3 ~3 z9 G7 b9 {3 T/ {Please enter the following 'extra' attributes
9 v1 M- n# d' q" P1 g! ]" Jto be sent with your certificate request
7 Q# y- y* j+ c' R; l: I: uA challenge password []:#回车
An optional company name []:# Enter

#  openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650
4 g1 b7 o7 i$ CSignature ok
5 M6 l0 I6 [) Asubject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com
+ h  `7 ?: S6 n5 X4 p0 a' DGetting Private key

2 O: w& G0 O. ~: t2、修改配置文件 /etc/nginx/nginx.conf
6 |+ s: G3 E) M# D6 h


# 在"server" 章节加入
  V- y7 _/ g0 R6 ?    server {
6 b* R) V: [  r; o# n% a( p        listen       80 default_server;
7 z" n, n( Z  ^6 }! R1 `' z        listen       [::]:80 default_server;
9 E0 w$ I8 f2 M) c6 c! V: m         listen       443 ssl;
# \8 r0 y8 R8 U; b: e         server_name  www.srv.world;
        root         /usr/share/nginx/html;

3 E+ W. k# b; r& t6 K' v         ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
* q5 l2 n! S# V        ssl_prefer_server_ciphers on;
6 V$ I( K5 e& Z4 Y9 a0 A1 e1 F        ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;
        ssl_certificate      /etc/pki/tls/certs/server.crt;
        ssl_certificate_key  /etc/pki/tls/certs/server.key;
3 m1 F# v- R7 B) \1 k6 G  L4、重启服务
8 U, c8 V) \! V2 K0 d" E- k- K# U5 |


# systemctl restart nginx

配置防火墙
7 x' g$ n: R/ s( S  t
# r/ Q  y& {6 c* V% m# e; h
! V" V* n! q8 U" P: O0 f) y% a
( {( ?8 ?+ v, h5 M3 O# firewall-cmd --add-service=https --permanent
# firewall-cmd --reload
" z7 {; I* ?$ ~; {" R4 z8 u
0 A/ Y9 M) R8 U9 G3 }& ^  }1 k, O