This time how to do business website obtain a digital certificate security, no digital certificate, then the browser to access the site will pop up when unsafe interface, and phishing sites also allow users into a false website, general business can go to Ali cloud buy a digital certificate, and then bought the browser will load the digital certificate, users will be able to secure access. If the emergence of phishing sites, browser detected, alert the user this is a phishing website, do not enter. Then do the test a test environment in a test environment can own a CA, CA certificates, follow these steps
before installing the source nginx, and has been set up nginxctl control commands, do not know can see: Preparing the Environment article, do a script, you do not need an absolute path way to start the nginx command
[root @ nginx /] # mkdir certificate # create a directory to store the certificate
[root @ nginx /] certificate # cd /
[root @ nginx / ] # yum -y install openssl openssl- devel # ssl package mounted so that it can generate
a certificate
[root @ nginx certificate] # openssl req # for the issuance of digital certificates
> -newkey rsa: 4096 -nodes -sha256 -keyout ca.key > -x509 The -days 365 -out in ca.crt
Generating the RSA Private Key A 4096 'bit
................................ ++ ...............
.............. ++
Writing new new Private Key to 'ca.key'
-----
You are about to be asked to enter information that will
be incorporated into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:QF
Organizational Unit Name (eg, section) []:pycloud
Common Name (eg, your name or your server's hostname) []:www.qffcc.com
Email Address []: [email protected]
information [root @ nginx certificate] #openssl req #CA certificates, CA agency will put the user application loaded into the database to store digital certificates, the same as with the above steps do not demonstrate
> -newkey rsa: 4096 -nodes -sha256 -keyout qffcc.com.key> -out qffcc.com.csr
[root @ nginx Certificate] #openssl X509 -req -days 365 -IN qffcc.com.csr -CA CAs. crt -CAkey ca.key -CAcreateserial -out qffcc.com.crt # send the signed certificate and a key to the browser, the following results represent successful
Signature the ok
Subject = / C = CN / GD ST = / L = SZ /O=QF/OU=qfcloud/CN=www.qffcc.vom/[email protected]
the Getting CA Private Key
[root @ nginx certificate] # # LS the following document is obtained after obtaining the certificate, the main need qffcc .com.crt qffcc.com.key put nginx configuration file
ca.crt ca.srl -out qffcc.com.csr-x509-
ca.key -newkey qffcc.com.crt qffcc.com.key
[root @ nginx opt] cd nginx-1.16.1 / #cd to your unzipped folder nginx
[root @ nginx nginx-1.16.1] # ./configure --prefix = / usr / local --user --group --with-http_ssl_module # recompile / nginx = nginx = nginx, loading third-party modules
[root @ 1.16.1-nginx nginx] # the make
[root @ nginx nginx-1.16.1] # echo $? # whether the installation is successful, if success represents 0
0
[root @ nginx nginx-1.16.1] # RM -rf / usr / local / nginx / sbin / nginx # as it has been re-compiled, so take up a new replacement, before the first nginx delete command
[root @ nginx nginx-1.16.1] # cp objs / nginx / usr / local / nginx / sbin / nginx # replace the original nginx, nginx is loaded into the command module's ssl
[root @ nginx nginx-1.16.1] # ps aux | grep nginx # nginx check whether the service is running
root 93196 0.0 0.1 45992 1136? 07:06 0:00 nginx Ss: Master Process / usr / local / nginx / sbin / nginx
nginx 93 197 0.0 6032 0.6 50324 S 07:06 0:00 nginx:? Process worker
? nginx 93198 0.0 0.6 50324 S 6032 07:06 0:00 nginx: worker process
984 0.0 106 162 0.0 112 708 the root PTS / 0 + 15:14 0:00 grep R & lt --color = Auto Nginx
[@ Nginx Nginx the root-1.16.1] # 93 196 # because the kill -9 to reload, so should all previous deleting
[root @ nginx nginx-1.16.1] # the kill -9 93197
[root @ nginx nginx-1.16.1] # the kill -9 93198
[root @ nginx nginx-1.16.1] # PS the AUX | grep the following nginx # remove a clean representative of
the root PTS 984 106 692 0.0 112 708 0.0 / 0 + 15:14 0:00 grep R & lt --color = Auto Nginx
[@ Nginx Nginx the root-1.16.1] # mkdir / usr / local / Nginx / httpskey
[the root @ Nginx nginx-1.16.1] # cp /certificate/qffcc.com.* / usr / local / nginx / httpskey / # of the certificate issued by copying nginx directory, easy configuration file is loaded
[root @ nginx nginx-1.16.1] # vi /usr/local/nginx/conf/nginx.conf # modify the configuration file
HTTP {
the include the mime.types;
default_type file application / OCTET-Stream;
main log_format 'REMOTE_ADDR $ - $ REMOTE_USER [$ time_local] "$ Request"'
'$ $ body_bytes_sent Status "$ HTTP_REFERER"'
' "$ HTTP_USER_AGENT" "$ HTTP_X_FORWARDED_FOR"';
access_log logs / the access.log main;
the sendfile ON;
keepalive_timeout 65;
the include /usr/local/nginx/conf.d/*.conf; # mainly add this place to load into the configuration file, so to create the file conf.d folder
}
[root @ nginx nginx-1.16. 1] #mkdir /usr/local/nginx/conf.d
[root @ nginx nginx-1.16.1] # #vi /usr/local/nginx/conf.d/qffccjump.conf first profile created content below, mainly for a jump, a jump 443 by the 80-port
Server {
the listen 80;
server_name www.qffcc.com;
location = / {
rewrite ^(.*) https://www.qffcc.com/$1 permanent;
}
location / {
rewrite ^(.*) https://www.qffcc.com/$1 permanent;
}
}
[root@nginx nginx-1.16.1]#vi /usr/local/nginx/conf.d/qffcc.com.conf
server {
listen 443;
server_name www.qffcc.com; #需要修改成你申请的域名
ssl on;
ssl_certificate /usr/local/nginx/httpskey/qffcc.com.crt;证书地址
ssl_certificate_key /usr/local/nginx/httpskey/qffcc.com.key;#密钥地址
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/nginx/html;#html目录
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/local/nginx/html;
fastcgi_pass 127.0.0.1:9000;#设置回环地址,不是nginx服务器的地址
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
[root@nginx conf]# nginxctl start #启动nginx服务
#上面就已经全部配置完成了,这时候你需要修改mac或者你windows的hosts配置文件,设置域名解析,把虚拟机的nginx服务器的ip 和域名对应上,mac的是在/etc/hosts里。由于它设置了权限,所以需要使用授权,sudo vim /etc/hosts 增加192.168.86.138 www.qffcc.com 保存退出之后,使用本机的浏览器去访问这个www.qffcc.com这个域名就可以访问到了,不过会提示安全问题,强行还是可以进去的。