Nginx下配置Https证书详细过程

时间:2022-09-05 09:36:51

一、Http与Https的区别
HTTP:是互联网上应用最为广泛的一种网络协议,是一个客户端和服务器端请求和应答的标准(TCP),用于从WWW服务器传输超文本到本地浏览器的传输协议,它可以使浏览器更加高效,使网络传输减少。

HTTPS:是以安全为目标的HTTP通道,简单讲是HTTP的安全版,即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。HTTPS协议的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。

HTTPS和HTTP的区别主要如下:
1、https协议需要到ca申请证书,一般免费证书较少,因而需要一定费用。
2、http是超文本传输协议,信息是明文传输,https则是具有安全性的ssl加密传输协议。
3、http和https使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。
4、http的连接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。

二、使用openssl生成证书
openssl是目前最流行的SSL密码库工具,其提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS协议的实现。

比如生成到:/usr/local/ssl

openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
生成过程: # openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /u sr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
Generating a 2048 bit RSA private key
...............................................................................+ ++
...............+++
writing new private key to '/usr/local/ssl/nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:xxxx(一般是域名)
Email Address []:xxxx@xxxx.com
# ll
total 8
-rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt
-rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key

三、Nginx安装http_ssl_module模块
Nginx如果未开启SSL模块,配置Https时提示错误。

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx

nginx缺少http_ssl_module模块,编译安装的时候带上--with-http_ssl_module配置就行了。

本场景是服务器已经安装过nginx,但是未安装http_ssl_module。

1.进入到源码包,如:

cd /app/download/nginx-1.16.7

2.configure:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

3.make:

make

4.不需要执行make install,否则就覆盖安装了。

5.备份原有的nginx,如:

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak

6.然后将刚刚编译好的nginx覆盖掉原有的nginx(nginx需要停止)

cp ./objs/nginx /usr/local/nginx/sbin/

7.查看安装情况:(注:若不生效,则重装nginx)

/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

四、nginx配置https
贴部分配置信息:

#user  nobody;
worker_processes 1; #error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info; #pid logs/nginx.pid; events {
worker_connections 1024;
} http {
include mime.types;
default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on;
#tcp_nopush on; #keepalive_timeout 0;
keepalive_timeout 65; #gzip on; server {
listen 7777;
server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / {
if (!-e $request_filename) {
rewrite ^(.*)$ /index.html?s=$1 last;
break;
}
root /usr/local/chip/product/crdp_plus;
index index.html;
} location /portal-ui {
root html;
index index.html index.htm;
try_files $uri $uri/ /monitor-view/index.html;
} location /crdp/ {
proxy_pass http://127.0.0.1:8888;
}
location /swagger-ui.html {
proxy_pass http://127.0.0.1:8888;
}
location /swagger-resources {
proxy_pass http://127.0.0.1:8888;
}
location /swagger {
proxy_pass http://127.0.0.1:8888;
}
location /webjars {
proxy_pass http://127.0.0.1:8888;
}
location /v2 {
proxy_pass http://127.0.0.1:8888;
}
location /druid {
proxy_pass http://127.0.0.1:8888;
} proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; client_max_body_size 5m; #error_page 404 /404.html; # redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
} # proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#} # deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} # another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias; # location / {
# root html;
# index index.html index.htm;
# }
#} # HTTPS server
#
server {
listen 8787 ssl;
server_name 192.168.13.192;
ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥
ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;
ssl_prefer_server_ciphers on; root /usr/local/ui_workspace;
index /appBaoJian/index.html; location /appBaoJian {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /appBaoJian/index.html;
} location /chhm-service/ {
proxy_pass http://192.168.13.77:8380;
} }
server {
listen 8686 ssl;
server_name 192.168.13.192;
ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥
ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;
ssl_prefer_server_ciphers on; root /usr/local/ui_workspace;
index /crpge/index.html; location /crpgea {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /crpge/index.html;
} location /crpgeb {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /crpge/hospital.html;
} location /crpge/v1 {
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:18888/crpge/v1;
} } }

先检验配置的对不对:

/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

重启nginx:

/usr/local/nginx/sbin/./nginx -s reload

Nginx下配置Https证书详细过程的更多相关文章

  1. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  2. Nginx下配置Https 配置文件(vue)

    #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #erro ...

  3. Nginx如何配置https证书?

    #把80端口请求跳转到443端口 server { listen 80; server_name 域名; return 301 https://$http_host$request_uri; } se ...

  4. Nginx下的https配置

    https: https(Secure Hypertext Transfer Protocol) 安全超文本传输协议 它是以安全为目标的http通道,即它是http的安全版.它使用安全套接字层(SSL ...

  5. Nginx配置Https(详细、完整)

    Nginx配置Https(详细.完整) 原文链接:请支持原创 前置条件: 在配置https之前请确保下面的步骤已经完成 服务器已经安装nginx并且通过http可以正常访问 不会安装nginx的可以参 ...

  6. Ubuntu Nginx下配置网站ssl实现https访问

    最近在看  HTTP权威指南   看到介绍了HTTPS的ssl,自己就动手测试了下,将步骤记录下 HTTPS简介 什么是HTTPS?百科是这样解释的.HTTPS(全称:Hyper Text Trans ...

  7. Nginx下配置网站ssl实现https访问

    第一步:服务器环境,lnmp即Linux+Nginx+PHP+MySQL,本文中以我的博客为例,使用的是阿里云最低档的vps+免费的Linux服务器管理系统WDCP快速搭建的lnmp环境(同类产品还有 ...

  8. Nginx 高级配置-https 功能

    Nginx 高级配置-https 功能 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.HTTPS工作过程 1>.SSL/TLS SSL(Secure Socket Lay ...

  9. 使用docker部署nginx并配置https

    我只有一台服务器,但我想在这台服务器上运行多个项目,怎么办? 总不能靠加端口区分吧? 百度和Google是个好东西,于是我找到了答案,使用nginx. 通过nginx,我可以给我的一台服务器配置两个域 ...

随机推荐

  1. PHP环境的搭建(Apache)

    一,下载XAMPP集成软件包. 二,Apache的安装配置: Apache的安装就点击下一步下一步,默认路径在系统的C盘. 三,在star   Apache的时候,出现了端口号80冲突(被占用),解决 ...

  2. mysql的collation

    mysql的collation大致的意思就是字符序.首先字符本来是不分大小的,那么对字符的>, = , < 操作就需要有个字符序的规则.collation做的就是这个事情,你可以对表进行字 ...

  3. C&OpenCurlyDoubleQuote;中断” 与 JS&OpenCurlyDoubleQuote;异步回调” 横向对比

    在底层C语言中,有一个非常重要而特别的概念,叫做“中断”.用比喻来说,我正在写着博客,突然我妈打个电话过来,我就离开了键盘去接电话了,然后写博客就中断了,我聊完电话回来再继续写.乍一听似乎并没有什么大 ...

  4. Difference between Stored Procedure and Function in SQL Server

    Stored Procedures are pre-compile objects which are compiled for first time and its compiled format ...

  5. JavaScript 高性能笔记

    浏览器解析 JavaScript .CSS .DOM 时,一般都是单线程解析,所以,引用外部文件时的位置不同,UE体验也不同. 下面是 Yahoo 大牛 Nicholas C. Zakas 的 &lt ...

  6. 用 Android-X86 和 VirtualBox 玩安卓游戏

    目前的系统是 Ubuntu 14.04,近日玩了玩 flash 版的<皇家禁*:前线>塔防游戏,还是想试试原生安卓游戏的表现.发现大概有两个选择: 各类安卓模拟器:官方SDK模拟器,bl ...

  7. git 仓库中删除历史大文件

    git 仓库中删除历史大文件 在git中增加了一个很大的文件,而且被保存在历史提交记录中,每次拉取代码都很大,速度很慢.而且用删除 提交历史记录的方式不是很实际. 以下分几个步骤介绍如何减小.git文 ...

  8. 删除zabbix数据库日志

    #!/bin/bashuser="root"passwd="361way"timedate=`date -d $(date -d "-90 day&q ...

  9. 11&lowbar;vim

    vim编辑器 文本编辑器,字处理器linux重要哲学思想之一:使用纯文本格式来保存软件的配置信息,大多数情况下都是如此,而且一切皆文件此前学过nano,sed..nano入门简单,但功能简陋 vi:V ...

  10. SQL Server 经典案例

    1.先进先出 例1 WITH [ta] ([商品编号], [批次号], [库存数量]) AS ( UNION ALL UNION ALL UNION ALL ),[tb] ([商品编号], [订货数量 ...