nginx-自制證書實現
- 一、 確認nginx是支持https功能的
- 二、生成私鑰
- 三、 根據ca.key生成nginx web服務器使用的證書簽名請求文件nginx.csr
- 四、使用ca.key給nginx.csr進行簽名,生成公鑰證書nginx.crt
- 五、將證書與域名綁定
- 六、添加域名解析并訪問
一、 確認nginx是支持https功能的
[root@nginx-1 nginx8]#
nginx -V
nginx version: nginx/1.29.1
built by gcc 11.5.0 20240719 (Red Hat 11.5.0-5) (GCC)
built with OpenSSL 3.2.2 4 Jun 2024
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx8 --user=scfeng --group=scfeng--with-http_ssl_module--with-http_v2_module--with-http_v3_module --with-http_stub_status_module --with-stream --with-stream_ssl_module --with-threads
–with-http_ssl_module 支持https功能
–with-http_v2_module 支持http2.0
自制ssl證書,實現nginx的https功能
yum install gcc pcre-devel openssl openssl-devel make -y
二、生成私鑰
CA的私鑰(自己就是CA也是nginx的web服務器),用于簽名證書
[root@localhost ssh]# mkdir /ca
[root@localhost ssh]# cd /ca
[root@localhost ca]# openssl genrsa -out ca.key
[root@localhost ca]# ls
ca.key
三、 根據ca.key生成nginx web服務器使用的證書簽名請求文件nginx.csr
nginx.csr 是證書簽名請求文件,包含公鑰和身份信息,用于申請數字證書 --》提交一個申請表格,用來搜集信息的
[root@localhost ca]# openssl req -new -key ca.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HUNAN
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default Company Ltd]:sanchuang
Organizational Unit Name (eg, section) []:dev
Common Name (eg, your name or your server's hostname) []:www.huang.com
Email Address []:Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ca]# ls
ca.key nginx.csr
四、使用ca.key給nginx.csr進行簽名,生成公鑰證書nginx.crt
nginx.crt:生成的數字證書文件,包含服務器的公鑰、身份信息和CA的簽名。
[root@localhost ca]#
openssl x509 -req -in nginx.csr -signkey ca.key -out nginx.crt
Certificate request self-signature ok
subject=C=CN, ST=HUNAN, L=changsha, O=sanchuang, OU=devops, CN=www.huang.com, emailAddress=
Getting Private key
[root@localhost ca]# ls
ca.key nginx.crt nginx.csr
五、將證書與域名綁定
全部證書放到/usr/local/nginx編譯安裝的目錄下的conf目錄里
[root@web1 ca]# ls
ca.key nginx.crt nginx.csr
[root@web1 ca]# cp * /usr/local/nginx1/conf/
ssl_certificate nginx.crt;:這一行指定了SSL證書文件的路徑,證書文件名為"nginx.crt"
ssl_certificate_key ca.key;:這一行指定了私鑰文件的路徑。私鑰是與SSL證書相關聯的密鑰,用于解密和驗證服務器證書,私鑰文件名為"ca.key"
[root@web1 conf]# vim nginx.conf
server {listen 443 ssl;http2 on;server_name www.huang.com;ssl_certificate nginx.crt;ssl_certificate_key ca.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {root html;index index.html index.htm;}}[root@web1 conf]# nginx -t
nginx: the configuration file /usr/local/nginx1/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx1/conf/nginx.conf test is successful
[root@web1 conf]# nginx -s reload
查看端口(443)
[root@web1 conf]# netstat -anplut|grep nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 691/nginx: master p
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 691/nginx: master p
六、添加域名解析并訪問
在Windows里添加域名解析
C:\Windows\System32\drivers\etc\hosts
192.168.168.136 www.huang.com
證書是綁定到域名上的,要訪問web服務器的時候,使用域名去訪問 https://www.huang.com
效果為瀏覽器地址欄左側的 “不安全”https
Linux系統里添加域名
[root@web1 conf]# vim
/etc/hosts
192.168.168.136 www.huang.com
使用curl字符界面瀏覽器去訪問,攜帶公鑰文件
[root@web1 conf]#
curl --cacert /ca/nginx.crt https://www.huang.com
http跳轉到https的配置 -> 添加重定向功能
server {listen 80;server_name www.huang.com;#charset koi8-r;#access_log logs/host.access.log main;location / {root html;index index.html index.htm; return 301 https://www.huang.com$request_uri ; #重定向功能
[root@nginx-1 conf]# nginx -t
nginx: the configuration file /usr/local/nginx8/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx8/conf/nginx.conf test is successful
[root@nginx-1 conf]# nginx -s reload
)
- KMS drm_plane.c)
)
文件--二進制文件查看編輯)
)
)
)