飞道的博客

分分钟搭建出nginx的https服务

2022-12-19 21:00 255人阅读  评论(0)

nginx添加https协议

nginx     192.168.122.50

一、https是什么?

HTTPS (全称:Hypertext Transfer Protocol Secure ),是以安全为目标的 HTTP 通道,在HTTP的基础上通过传输加密和身份认证保证了传输过程的安全性 。

HTTPS 在HTTP 的基础下加入SSL,HTTPS 的安全基础是 SSL,因此加密的详细内容就需要 SSL。 HTTPS 存在不同于 HTTP 的默认端口及一个加密/身份验证层(在 HTTP与 TCP 之间)。这个系统提供了身份验证与加密通讯方法。

SSL(Secure Socket Layer)安全套接层是Netscape公司率先采用的网络安全协议。它是在传输通信协议(TCP/IP)上实现的一种安全协议,采用公开密钥技术。

二、创建步骤

1.安装nginx

mkdir /opt/download

上传openresty-1.21.4.1.tar.gz到/opt/download目录

yum -y install pcre pcre-devel openssl openssl-devel zlib zlib-devel  libpcre3-dev libssl-dev perl make build-essential curl libreadline-dev libncurses5-dev
tar -xf openresty-1.21.4.1.tar.gz 
cd  openresty-1.21.4.1
./configure --prefix=/opt/openresty && gmake && gmake install
ln -s /opt/openresty/nginx /opt/nginx
/bin/cp -r /opt/download/nginx.conf /opt/nginx/conf
mkdir /opt/nginx/conf/conf.d
echo "export PATH=\$PATH:/opt/nginx/sbin" >> ~/.bash_profile
source ~/.bash_profile

2.创建证书

sed -i "s/countryName		= match/countryName		= optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/stateOrProvinceName	= match/stateOrProvinceName	= optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/organizationName	= match/organizationName	= optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/organizationalUnitName	= optional/organizationalUnitName	= optional/g" /etc/pki/tls/openssl.cnf
sed -i "s/commonName		= supplied/commonName		= supplied/g" /etc/pki/tls/openssl.cnf
sed -i "s/emailAddress		= optional/emailAddress		= optional/g" /etc/pki/tls/openssl.cnf

mkdir /opt/.ssl && cd /opt/.ssl
openssl genrsa -out cakey.pem 4096


openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3655

以下内容为必填项
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Common Name (eg, your name or your server’s hostname) []:192.168.122.50

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:BJ
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:192.168.122.50
Email Address []:ABC@qq.com


生成私钥
openssl genrsa -out https.key 2048

openssl req -new -key https.key -out https.csr -days 365


在CA主机上签发证书

touch /etc/pki/CA/index.txt
cp cakey.pem /etc/pki/CA/private/cakey.pem
cp cacert.pem /etc/pki/CA/cacert.pem
mkdir -p /etc/pki/CA/newcerts
touch  /etc/pki/CA/index.txt
touch /etc/pki/CA/serial
echo  '01'>/etc/pki/CA/serial


openssl ca -in https.csr -out https.crt -days 365


ll /opt/.ssl


cat << EOF >> /opt/nginx/conf/conf.d/ssl.conf
server{
   
    listen 443 ssl;
    ssl_certificate /opt/.ssl/https.crt;
    ssl_certificate_key  /opt/.ssl/https.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
    ssl_prefer_server_ciphers on;
location / {
   
        root /opt/html;
        index index.html index.htm;
    }
}
EOF

nginx -t

三、验证

nginx
netstat -tlnup|grep 443


mkdir /opt/html && cd  /opt/html
echo "holle word" > /opt/html/index.html
nginx -s reload


打开谷歌浏览器访问

https://192.168.122.50



wget https://192.168.122.50/index.html


wget https://192.168.122.50/index.html --no-check-certificate

四、浏览器访问

打开IE浏览器访问

https://192.168.122.50


查看/opt/.ssl目录

ll /opt/.ssl

导出cacert.pem证书
sz cacert.pem

在windows安装证书

将cacert.pem 改为cacert.crt


双击cacert.crt







清空IE浏览器缓存 重新打开

https://192.168.122.50


总结

创建证书

openssl genrsa -out cakey.pem 4096
openssl req -new -x509 -key cakey.pem -out cacert.pem -days 3655
openssl genrsa -out https.key 2048
openssl req -new -key https.key -out https.csr -days 365
openssl ca -in https.csr -out https.crt -days 365

[root@localhost .ssl]# ll
总用量 24
-rw-r--r--. 1 root root 2049 12  9 12:16 cacert.pem
-rw-r--r--. 1 root root 3243 12  9 11:45 cakey.pem
-rw-r--r--. 1 root root 5776 12  9 13:13 https.crt
-rw-r--r--. 1 root root 1078 12  9 13:05 https.csr
-rw-r--r--. 1 root root 1679 12  9 13:04 https.key

https中使用ssl证书

ssl_certificate /opt/.ssl/https.crt;
ssl_certificate_key  /opt/.ssl/https.key;

转载:https://blog.csdn.net/weixin_55609905/article/details/128250277
查看评论
* 以上用户言论只代表其个人观点,不代表本网站的观点或立场