实现Nginx https

Nginx要实现SSL认证需要在编译时启用--with-http_ssl_module模块，并且nginx支持一台服务器上实现多虚拟主机的https

1.使用nginx -V查看nginx在编译时是否启用了ssl_module模块

[root@localhost ~]# nginx -V
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module

2.在nginx目录下创建存放证书的目录

[root@localhost ~]# mkdir /apps/nginx/certs
[root@localhost ~]# cd /apps/nginx/certs

3.生成CA自签证书及CA的私钥

[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a 4096 bit RSA private key
....................++
...........................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.magedu.com
Email Address []:438214186@qq.com

4.生成私钥及证书签署请求

[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.mylinuxops.com.key -out www.mylinuxops.com.csr
Generating a 4096 bit RSA private key
.......................................................................................++
.............................................................................................................................................................................................++
writing new private key to 'www.mylinuxops.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:magedu.com
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:www.mylinuxops.com
Email Address []:438214186@qq.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5.签发证书

[root@localhost certs]# openssl x509 -req -days 3650 -in www.mylinuxops.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.mylinuxops.com.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=magedu.com/OU=ops/CN=www.mylinuxops.com/emailAddress=438214186@qq.com
Getting CA Private Key

6.查看签发的证书

[root@localhost certs]# openssl x509 -in www.mylinuxops.com.crt -noout -text
Certificate:Data:Version: 1 (0x0)Serial Number:b9:a1:a3:24:b8:03:cc:86Signature Algorithm: sha256WithRSAEncryptionIssuer: C=CN, ST=BJ, L=BJ, O=magedu.com, OU=ops, CN=ca.magedu.com/emailAddress=438214186@qq.comValidityNot Before: May 29 12:06:50 2019 GMTNot After : May 26 12:06:50 2029 GMTSubject: C=CN, ST=BJ, L=BJ, O=magedu.com, OU=ops, CN=www.mylinuxops.com/emailAddress=438214186@qq.comSubject Public Key Info:Public Key Algorithm: rsaEncryptionPublic-Key: (4096 bit)Modulus:00:e9:2c:9b:56:63:b7:64:e0:37:f4:07:8e:0e:e2:4b:6f:47:c4:e3:25:5d:2d:b6:64:e6:0e:36:fa:de:81:0a:83:e8:61:f2:8b:e4:a0:2f:21:b4:db:6f:94:e7:5c:b9:d9:6b:ca:3d:d0:6e:f5:a2:6c:a7:2f:38:2f:60:d1:ca:07:55:90:6b:18:75:e2:51:9c:7b:5c:79:30:50:e3:01:e0:93:c5:ee:06:79:51:9b:18:c7:ba:ed:4f:30:2d:aa:a8:15:3c:1c:02:23:c7:1e:c5:68:69:7c:69:9c:08:ef:9c:69:6e:8b:6d:d7:1f:5b:64:45:6a:37:03:4a:1e:10:fb:36:24:6a:ce:3f:48:4b:46:5c:39:d6:14:79:5d:c4:c8:8f:d1:9d:e5:68:23:e3:79:18:44:2a:20:71:5b:02:27:a3:17:20:47:aa:8c:42:b6:00:d9:2e:45:65:a4:e9:2e:cf:d1:a8:72:7d:3d:4a:d9:f8:78:44:3b:ae:0c:6d:f6:e5:da:7f:10:45:4a:09:b3:b3:ba:cb:f7:c6:ab:31:cb:8c:4d:d6:db:13:49:cc:f5:a9:78:3d:7d:67:b9:03:09:f8:6d:b2:87:13:5d:61:d8:c3:a5:fa:97:2d:27:e2:4a:53:89:4c:c2:11:05:03:6f:5a:ff:ed:35:43:44:98:0b:a8:0b:ba:71:64:d7:f1:59:0e:4d:e3:ca:77:7c:66:91:4e:9d:e7:53:82:12:99:31:ba:78:85:d8:39:03:14:1c:46:70:5c:24:3e:f0:0a:65:30:da:03:eb:70:76:8a:70:b6:9a:9c:cb:e9:b3:4d:b3:3b:bc:e6:cd:7d:5a:5c:61:d1:f5:47:80:be:c5:c3:f1:08:6e:79:56:06:57:8a:67:e5:e8:af:eb:b0:ba:f5:54:18:6d:ce:df:28:a5:b0:18:18:9f:91:ad:e7:d1:c4:f3:35:d1:54:7f:a2:48:1b:62:a1:59:50:1b:6f:2e:3e:9b:38:f9:99:85:b3:91:b0:87:ce:88:13:2a:fc:d9:1d:6c:9d:38:f0:97:53:c0:9d:46:a1:e7:a8:08:2f:d4:90:8b:3a:9b:a4:22:4a:31:23:0d:13:b9:97:29:37:df:47:e9:06:95:e5:25:13:90:aa:a1:c6:11:64:fd:49:84:0a:81:15:8d:fb:ef:29:28:b2:6b:b0:82:a4:d1:8c:f4:cd:7a:88:3b:14:77:b2:55:f0:e3:4f:a6:3a:11:4b:3b:26:9e:a2:e6:b9:a1:dc:07:c6:da:01:d3:63:88:1b:05:c7:88:b7:5b:13:1b:83:31:7c:0e:e7:09:11:f3:a5:b5:26:20:2c:34:f6:21:ac:af:ab:97Exponent: 65537 (0x10001)Signature Algorithm: sha256WithRSAEncryptiona2:42:b5:26:40:63:2c:6f:c8:58:0f:ae:59:05:31:96:10:c5:9e:26:78:74:d5:21:75:82:8d:3b:ad:71:ab:94:78:ce:d3:45:0d:ad:e1:9d:1f:b7:e6:de:f0:2b:e6:2d:7e:fe:3b:0c:f2:5a:85:7c:3b:f4:01:2c:e8:cd:71:b4:e0:e1:8a:cf:e5:90:c3:93:6d:2d:22:fb:f8:79:24:a6:f8:ed:ed:1c:97:db:52:31:69:74:3c:c1:00:45:1e:74:f0:93:3d:f6:15:82:39:3b:4c:6c:bb:72:4b:66:fd:6d:10:56:a1:86:a0:11:02:2a:c4:de:80:fd:93:d6:5f:c2:18:b7:1a:f3:89:4e:dc:18:b8:fc:70:eb:94:51:91:fc:f7:7a:1b:cf:36:fa:52:c9:1a:95:e6:ec:bb:1a:ef:7d:dc:67:62:dc:95:13:76:7e:a3:17:3f:c6:cb:82:a6:bb:89:69:98:1c:3e:78:e8:94:50:71:7f:be:66:94:7d:de:bb:02:1a:57:ad:f2:56:bc:61:a1:7d:c0:1c:f7:df:1b:75:7f:d0:0c:19:46:a8:d6:37:e4:b6:a7:0e:12:2a:04:a6:ad:ee:ec:ae:7f:49:bf:bb:a7:d7:3c:71:eb:e6:d0:97:f8:4b:22:29:34:11:3c:86:e9:e7:51:35:92:0b:4a:3b:d6:39:db:54:50:bf:d2:f2:ed:da:ca:e8:e7:55:b9:36:c9:29:13:83:51:2c:de:5d:df:da:53:58:47:64:5b:92:1c:44:ec:61:7d:d5:b4:77:04:16:3e:24:5b:48:60:df:63:a3:36:57:a0:e1:f1:39:e4:bc:f5:81:53:7e:50:a3:b8:85:32:d8:58:60:4e:bb:ee:24:ee:d9:74:62:c3:e0:c8:80:5a:58:af:09:6d:73:b4:05:f2:0d:2c:04:47:a0:0b:3e:75:2e:13:a5:e1:f2:1f:06:ad:88:36:70:03:5b:c4:38:94:22:da:0e:56:c2:f5:6d:31:4c:ef:9e:05:2e:85:87:fa:2b:21:76:fc:c4:f9:13:d4:1c:c4:1a:31:95:b9:5d:ee:38:31:de:3d:35:00:76:9d:d8:45:e1:97:c0:10:07:5e:1c:5c:ad:85:51:37:8e:11:93:6d:69:cd:b4:70:8b:45:1d:c3:57:61:d0:8b:ea:f8:2c:91:9c:22:71:00:70:02:e3:4b:3e:19:1f:67:1d:9c:9f:e2:ae:64:1b:53:6c:be:5e:15:5e:de:15:36:e2:55:37:07:8f:c9:62:06:ce:d9:5a:99:99:cb:bc:a4:fc:88:7e:cf:45:91:f1:1f:20:e4:eb:a7:0f:b9:8f:0e:5a:25:71:5f:d1:1a

7.修改配置文件启用ssl

server {server_name www.mylinuxops.com;listen 443;ssl on;ssl_certificate /apps/nginx/certs/www.mylinuxops.com.crt;       #添加证书文件ssl_certificate_key /apps/nginx/certs/www.mylinuxops.com.key;   #添加私钥文件ssl_session_timeout 10m;        #设置ssl会话的超时时间ssl_session_cache shared:SSL:20m;        #设置ssl会话的缓存大小，shared为共享缓存，可以给多个worker进程使用，需要设置缓存名字，还需要设置大小，官方1M可以存储4000个会话location / {root /data/www;index index.html;}
}

8.检查配置文件，重读配置文件

[root@localhost nginx]# nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@localhost nginx]# nginx -s reload

9.测试

[root@localhost nginx]# curl --cacert /apps/nginx/certs/ca.crt  https://www.mylinuxops.com
mylinux.com