一、nginx ssl 配置SSL证书
1、制作OpenSSL创建证书
#建立服务器私钥(过程需要输入密码,请记住这个密码)生成RSA密钥
>openssl genrsa -des3 -out server.key 1024
#生成一个证书请求
>openssl req -new -key server.key -out server.csr
#需要依次输入国家,地区,组织,email。最重要的是有一个common name,可以写你的名字或者域名。如果为了https申请,这个必须和域名吻合,否则会引发浏览器警报。生成的csr文件交给CA签名后形成服务端自己的证书
#---------------------------------------------------------------------------------------------------------------
Enter pass phrase for server.key: #之前输入的密码
Country Name (2 letter code) [XX]: cn #国家
State or Province Name (full name) []: guangdong #区域或是省份
Locality Name (eg, city) [Default City]: zhuhai #地区局部名字
Organization Name (eg, company) [Default Company Ltd]: Gree Electric #机构名称:填写公司名
Organizational Unit Name (eg, section) []: Internet of things Research Institute #组织单位名称:部门名称
Common Name (eg, your name or your server\'s hostname) []: nlu.gree.com #网站域名
Email Address []: 1034611705@qq.com #邮箱地址
A challenge password []: qwe!23 #输入一个密码,可直接回车
An optional company name []: Gree Electric #一个可选的公司名称,可直接回车
#-----------------------------------------------------------------------------------
2、配置nginx ssl证书
#证书存放目录
[root@aikt-n1 vhosts]# ca
nlu.gree.com.crt
nlu.gree.com.key
#nginx配置
nginx.conf
user www;
worker_processes auto;
error_log /roobo/logs/nginx/error.log;
error_log /roobo/logs/nginx/error.log notice;
error_log /roobo/logs/nginx/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main \'$remote_addr - $remote_user [$time_local] "$request" $http_host \'
\'$status $body_bytes_sent "$http_referer" \'
\'"$http_user_agent" "$http_x_forwarded_for"\';
access_log /roobo/logs/nginx/access.log main;
sendfile on;
tcp_nopush on;
keepalive_timeout 65;
include /roobo/server/nginx/conf/vhosts/nlu.gree.com.conf;
#include /roobo/server/nginx/conf/vhosts/*.conf;
}
nlu.gree.com.conf
upstream unisound {
ip_hash;
server 10.7.19.129:9997;
server 10.7.19.130:9997;
}
server {
listen 8088;
server_name nlu.gree.com;
location / {
#location /unisound/v1/query {
proxy_pass http://unisound;
proxy_set_header Host $host;
proxy_set_header Remote_addr $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 443;
ssl on;
ssl_certificate /roobo/server/nginx/ca/nlu.gree.com.crt;
ssl_certificate_key /roobo/server/nginx/ca/nlu.gree.com.key;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server_name nlu.gree.com;
access_log /roobo/logs/nginx/nlu.gree.com_access.log main;
error_log /roobo/logs/nginx/nlu.gree.com_error.log error;
location / {
#location /unisound/v1/query {
proxy_pass http://unisound;
}
#location / {
location /unisound/v1/query {
proxy_pass_header Server;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
3、linux下测试https
#需要上传一个ca.crt的证书
[root@aikt-n1 vhosts]# ll
总用量 8
-rw-r--r-- 1 root root 3488 7月 25 08:42 ca.crt
-rw-r--r-- 1 root root 1770 7月 25 09:36 nlu.gree.com.conf
#再测试
[root@aikt-n1 vhosts]# curl https://nlu.gree.com/ --cacert ./ca.crt
{"code":501,"errorType":"request data error, check it and try again!"}
4、测试过程中遇到的一些问题
#否则报不到证书会直接报错
[root@aikt-n1 ~]# curl https://nlu.gree.com/ --cacert ./ca.crt
curl: (77) Problem with the SSL CA cert (path? access rights?)
#需要ca.crt证书,否则就会报错
#?
[root@aikt-n1 vhosts]# curl https://nlu.gree.com
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn\'t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).