1.1, nginx achieve https site settings
1.61 Introduction
HTTPS is actually composed of two parts: HTTP + the SSL / the TLS , i.e. the HTTP upper layer processing module and added to the encrypted information. Service and client information will be transmitted via TLS data is encrypted, so the data transmission is encrypted
1.6.2 , HTTPS protocol principle
First, the client establishes a connection with the server, each generate a public key and a private key, are different. Server back to the client a public key, then client holding the public key encryption to search for things, called ciphertext, and even its own public key and returned together to the server, holding their private key to decrypt ciphertext, then the response data encrypted with the public key of the client, returned to the client, the client took his private key to decrypt the ciphertext, the data presented.
1.6.3 In Nginx implementation of
1.6.3.1 , the certificate and private key generation
Note: Generally generated directory , should be placed nginx / conf / ssl directory
1. Create a server certificate key file server.key :
openssl genrsa -des3 -out server.key 1024
Enter the password 123456 , confirm the password, just define yourself, but keep in mind that will be used later.
2. Create a server certificate application documents server.csr
openssl req -new -key server.key -out server.csr
Output content:
Pass phrase for root.key the Enter: ← Enter the password you created earlier
The Name Country (2 Letter code) [AU]: CN ← country code, enter China CN
State or Province Name (full name) [Some-State]: BeiJing full name ← Province, Pinyin
The Name Locality (EG, City) []: BeiJing ← city full name, Pinyin
The Name Organization (EG, Company) [Internet Widgits Pty Ltd]: MyCompany Corp. ← English company name
The Name Unit Organizational (EG, sectionTop) []: ← may not enter
The Name the Common (EG, YOUR name) []: ← do not enter a
Address Email []: [email protected] ← e-mail, can easily fill
Please enter the following ‘extra’ attributes
to be sent with your certificate request
Challenge password A []: ← may not enter
Company name optional AN []: ← may not enter
4. backup copy of the file server key
cp server.key server.key.org
5. remove the password file
openssl rsa -in server.key.org -out server.key
6. generate a certificate file server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
1.6.3.2 , modify the configuration file
1 to see if the installation --with-http_ssl_module module
/application/nginx/sbin/nginx -V
configure arguments: --prefix=/application/nginx-1.6.3 --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module
2 , modify the configuration file /application/nginx/conf/nginx.conf
server{
# Than the default 80 using 443 default ssl way more than the default after ssl
listen 443 default ssl;
#default be omitted
# Open if ssl ON ; remove this line, ssl written in the 443 back port. Such http and https links can be used
ssl on;
# Certificate ( public key . Sent to the client )
ssl_certificate /data/html/bbs/server.crt;
# Private key ,
ssl_certificate_key /data/html/bbs/server.key;
# The following is a parked domain
server_name www.lxt.com;
location / {
......
}
}
1.6.3.3、启动检查
1、检查语法
/application/nginx/sbin/nginx -t
2、重新加载配置文件
/application/nginx/sbin/nginx -s reload
3、浏览器中输入https://www.lxt.com
可以正常浏览网页。
附:
开启nginx的ssl模块
1.the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
原因是nginx缺少http_ssl_module模块,编译安装时带上--with-http_ssl_module配置就可以了
2.如果已经安装过nginx,想要添加模块看下面
1)切换到nginx源码包
cd /usr/local/src/nginx-1.11.3
2)查看ngixn原有的模块
/usr/local/nginx/sbin/nginx -V
3)重新配置
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
4)重新编译,不需要make install安装。否则会覆盖
make
5)备份原有已经安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
6)将刚刚编译好的nginx覆盖掉原来的nginx(nginx必须停止)
cp ./objs/nginx /usr/local/nginx/sbin/
这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
7)启动nginx,查看nginx模块,发现已经添加
/usr/local/nginx/sbin/nginx -V