Now many sites have to be https, before I do include a small micro-channel programs are required to use https transmission, especially under the previous record of learning in case you forget
One,
1.HTTPS Profile
HTTPS is actually composed of two parts: HTTP + SSL / TLS, i.e. on an HTTP module added a layer of processing encrypted information. Data services and client information transmitted is encrypted by TLS, so the data transmission is encrypted
2.https principle agreement
First, the client establishes a connection with the server, each generate a public key and a private key, are different. Server back to the client a public key, then client holding the public key encryption to search for things, called ciphertext, and even its own public key and returned together to the server, holding their private key to decrypt ciphertext, then the response data encrypted with the public key of the client, returned to the client, the client took his private key to decrypt the ciphertext, the data presented
Second, the certificate and private key generation
#注意:一般生成的目录,应该放在nginx/conf/ssl目录,创建并进入
#1.创建服务器证书密钥文件 server.key:
openssl genrsa -des3 -out server.key 1024
#输入密码,确认密码,自己随便定义,但是要记住,后面会用到。需输入4-1024位字符做为密码
#2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
#输出内容为:
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:ShangHai ← 省的全名,拼音
Locality Name (eg, city) []:ShangHai ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: 你的域名
Email Address []:[email protected] ← 电子邮箱,可随意填
Please enter the following ‘extra’ attributes to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
#4.备份一份服务器密钥文件
cp server.key server.key.org
#5.去除文件口令
openssl rsa -in server.key.org -out server.key
#6.生成证书文件server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Third, the configuration file (nginx server)
In /usr/local/nginx/conf/vhost.conf in
server {
listen 443 ssl;
server_name www.jinzhaohui.cn;
ssl_certificate ssl/1571883_www.jinzhaohui.cn.pem;
ssl_certificate_key ssl/1571883_www.jinzhaohui.cn.key;
#ssl_certificate ssl/server.crt;
#ssl_certificate_key ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
index index.php index.html index.htm;
root /opt/hello;
if (!-e $request_filename) { rewrite ^(.*)$ /index.php?s=$1 last; break; }
}
location ~ \.php$ {
root html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /opt/hello$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
}
Test sbin directory, execute .nginx -t
报错:nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/vhost.conf:3
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
The reason is: ssl module is not turned on
Fourth, open the ssl nginx module
#1.the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37
#原因是nginx缺少http_ssl_module模块,编译安装时带上--with-http_ssl_module配置就可以了
#2.如果已经安装过nginx,想要添加模块看下面
#1)切换到nginx源码包
cd /usr/local/src/nginx-1.11.3
#2)查看ngixn原有的模块
/usr/local/nginx/sbin/nginx -V
#3)重新配置
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
#4)重新编译,不需要make install安装。否则会覆盖
make
#5)备份原有已经安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
#6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止)
ps -ef|grep nginx
kill -QUIT 2072
cp ./objs/nginx /usr/local/nginx/sbin/
#这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
#7)启动nginx,查看nginx模块,发现已经添加
/usr/local/nginx/sbin/nginx -V
Reproduced in: https: //www.cnblogs.com/two-bees/p/10510610.html