https协议是Hypertext Transfer Protocol over Secure Socket Layer的简称,它是基于ssl的http通信协议。用于安全的http数据传输。默认使用443端口。https协议需要生成证书,客户端连接上来,需要先安装证书,例如浏览器打开指定的url,会警告是一个不信任的站点,需要将其加入受信任的站点,然后才可以访问。
今天介绍如何利用nginx来配置让服务器支持https协议。nginx默认安装是支持https协议的,只需要我们生成证书,并配置证书就可以使用了。
在linux服务器上可以使用openssl命令直接创建证书具体命令如下。
1、生成服务器私钥key
这一步会提示你输入口令。
[[email protected] nginx]# openssl genrsa -des3 -out server.key 1024 Generating RSA private key, 1024 bit long modulus ............++++++ .............++++++ e is 65537 (0x10001) Enter pass phrase for server.key: 140713354999712:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key: [[email protected] nginx]#
利用生成的key,创建签名请求的证书。
[[email protected] nginx]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:xxx Organizational Unit Name (eg, section) []:linux Common Name (eg, your name or your server's hostname) []:docker Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:lenovo An optional company name []:lenovo [[email protected] nginx]#
2、生成服务器证书crt
使用上述私钥时去除必要的口令
[[email protected] nginx]# cp server.key server.key.org [[email protected] nginx]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key [[email protected] nginx]#
标记证书有效期10年并使用上述key和csr
[[email protected] nginx]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CN/ST=beijing/L=beijing/O=xxx/OU=linux/CN=docker/[email protected] Getting Private key [[email protected] nginx]#
3、配置nginx的配置文件,让其包含新标记的证书和私钥,并开启443端口。
vi /etc/nginx/conf.d/default.conf
4、测试访问.https://192.168.61.150/index.php
第一次访问提示不信任的站点警告。
点击高级,查看证书。
添加安全例外。
访问结果。