Configure https access on the nginx Server

1. Configure the nginx Server

[Root @ iig conf] # cat nginx. conf

Worker_processes 1;

Events {

Worker_connections 1024;

}

Http {

Include mime. types;

Default_type application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

Server {

Listen 80;

Server_name www.iigrowing.cn;

Location /{

Root www.iigrowing.cn;

Index index.html index.htm;

}

}

}

2. Generate a certificate

Enter the certificate directory cd/etc/pki/tls/certs/, create the certificate, and set the password.

Make rsyslog. key

[Root @ iig certs] # openssl rsa-in rsyslog. key-out rsyslog. key

Enter pass phrase for rsyslog. key:

Writing RSA key

[Root @ iig certs] #

3. Create certificate rsyslog. csr

During creation, you must note that you need to write the name of the computer, which can be viewed by hostname.

[Root @ iig certs] # hostname

Iig. local. ftp

[Root @ iig certs] # make rsyslog. csr

Umask 77 ;\

/Usr/bin/openssl req-utf8-new-key rsyslog. key-out rsyslog. csr

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

--

Country Name (2 letter code) [GB]: GB

State or Province Name (full name) [Berkshire]: beijing

Locality Name (eg, city) [Newbury]: beijing

Organization Name (eg, company) [My Company Ltd]: www.iigrowing.cn

Organizational Unit Name (eg, section) []: iigrowing

Common Name (eg, your name or your server's hostname) []: iig. local. ftp

Email Address []:

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []:

An optional company name []:

4. Generate a certificate authority to issue a public key

Because the certificate is generated locally and is not issued by an Internet CA Certificate Authority, a browser warning will pop up during access. We can add it to the certificate trust authority.

[Root @ iig certs] #

[Root @ iig certs] # openssl x509-in rsyslog. csr-req-signkey rsyslog. key-days 365-out rsyslog. crt

Signature OK

Subject =/C = GB/ST = beijing/L = beijing/O = www.iigrowing.cn/ouw.iigrowing/cnw.iig.local.ftp

Getting Private key

[Root @ iig certs] #

5. Modify the nginx configuration file

Modify the configuration file. Note that we can copy the default ssl module to the virtual directory we created. Do not open it by default, and then modify the path. Is the complete configuration. Remember to restart the service.

Worker_processes 1;

Events {

Worker_connections 1024;

}

Http {

Include mime. types;

Default_type application/octet-stream;

Sendfile on;

Keepalive_timeout 65;

Server {

Listen 80;

Server_name www.iigrowing.cn;

Location /{

Root www.iigrowing.cn;

Index index.html index.htm;

}

}

Server {

Listen 443;

Server_name www.iigrowing.cn;

Ssl on;

Ssl_certificate/etc/pki/tls/certs/rsyslog. crt;

Ssl_certificate_key/etc/pki/tls/certs/rsyslog. key;

Ssl_session_timeout 5 m;

Ssl_protocols SSLv2 SSLv3 TLSv1;

Ssl_ciphers ALL :! ADH :! EXPORT56: RC4 + RSA: + HIGH: + MEDIUM: + LOW: + SSLv2: + EXP;

Ssl_prefer_server_ciphers on;

Location /{

Root www.iigrowing.cn;

Index index.html index.htm;

}

}

}

6. Test the https protocol

Create the.txt file in the following directory. The content is as follows:

Open your browser and enter the address: https://www.iigrowing.cn/a.txt

Display result