Nginx implements multi-domain certificate HTTPS

Nginx implements multi-domain certificate HTTPS

Currently, the company has two domain names, of which three subdomains need to be changed to HTTPS transmission, respectively:

Passport.abc.com

Www.test.com

Admin.test.com

The purchase of an ssl certificate is involved. Due to the price issue, three different certificates are used (one for each domain name ).

In the experiment environment, we manually generate three ssl certificates.

Create a directory and enter the Directory

[Root @ gz122haproxy95 ~] # Mkdir ~ /Keys
[Root @ gz122haproxy95 keys] # cd ~ /Keys
[Root @ gz122haproxy95 keys] # openssl genrsa-out passport.abc.com. key 2048
[Root @ gz122haproxy95 keys] # openssl req-new-key passport.abc.com. key-out passport.abc.com. csr
 
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]: CN # Country
State or Province Name (full name) [Berkshire]: GuangDong # Province
Locality Name (eg, city) [Newbury]: ShenZhen # city
Organization Name (eg, company) [My Company Ltd]: Test. Inc # company Name
Organizational Unit Name (eg, section) []: passport.abc.com # Organization Name
Common Name (eg, your name or your server's hostname) []: passport.abc.com # Domain Name
Email Address []: passport@abc.com
Please enter the following 'extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
 
[Root @ gz122haproxy95 keys] # openssl x509-req-days 3650-in passport.abc.com. csr-signkey passport.abc.com. key-out passport.abc.com. crt

Use the above method to replace the name and then create two copies. The final result is

[Root @ gz122haproxy95 keys] # ls-l
Total 36
-Rw-r -- 1 root 1354 Dec 4 16:54 admin.test.com. crt
-Rw-r -- 1 root 1050 Dec 4 16:54 admin.test.com. csr
-Rw-r -- 1 root 1675 Dec 4 16:52 admin.test.com. key
-Rw-r -- 1 root 1354 Dec 4 16:48 passport.abc.com. crt
-Rw-r -- 1 root 1078 Dec 4 16:44 passport.abc.com. csr
-Rw-r -- 1 root 1675 Dec 4 16:41 passport.abc.com. key
-Rw-r -- 1 root 1354 Dec 4 16:52 www.test.com. crt
-Rw-r -- 1 root 1062 Dec 4 16:52 www.test.com. csr
-Rw-r -- 1 root 1679 Dec 4 16:51 www.test.com. key

Now it is the installation and configuration of Nginx and OpenSSL. (Note that the next IP address generally only supports one SSL certificate. Therefore, we need to implement multiple SSL certificates on one IP address, nginx must support tls sni, because the default OpenSSL does not enable tls sni)

[Root @ gz122haproxy95 ~] # Wget
[Root @ gz122haproxy95 ~] # Tar zxf openssl-0.9.8zh.tar.gz
[Root @ gz122haproxy95 ~] # Wget http://nginx.org/download/nginx-1.8.0.tar.gz
[Root @ gz122haproxy95 ~] # Tar zxf nginx-1.8.0.tar.gz
[Root @ gz122haproxy95 ~] # Cd nginx-1.8.0
[Root @ gz122haproxy95 nginx-1.8.0] #. /configure -- prefix =/usr/local/nginx1.8.0 -- user = www -- group = www -- with-http_stub_status_module -- with-http_ssl_module -- with-http_gzip_static_module -- with-openssl = .. openssl-0.9.8zh
[Root @ gz122haproxy95 nginx-1.8.0] # make & make install
# You only need to decompress openssl and add -- with-openssl = dir to the nginx configuration parameters. In addition, openssl requires compilation, which takes a long time.

When compiling and installing nginx, The pcre Library or zlib library may not be found, which can be used in CentOS.

Yum-y install pcre-devel zlib-devel

After Nginx is installed and compiled, run

[Root @ gz122haproxy95 nginx-1.8.0] #/usr/local/nginx1.8.0/sbin/nginx-V
Nginx version: nginx/1.8.0
Built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)
Built with OpenSSL 0.9.8zh 3 Dec 2015
Tls sni support enabled # You Can See That tls sni support is enabled.
Configure arguments: -- prefix =/usr/local/nginx1.8.0 -- user = www -- group = www -- with-http_stub_status_module -- with-http_ssl_module -- with-http_gzip_static_module -- with-openssl = ../openssl-0.9.8zh

Then configure nginx

Upstream passport.abc.com {
Server 192.168.255.87: 80;
Server 192.168.255.88: 80;

}
 
# HTTPS server
#
Server {
Listen 443 ssl;
Server_name passport.abc.com;
 
Ssl_certificate/root/keys/passport.abc.com. crt;
Ssl_certificate_key/root/keys/passport.abc.com. key;
 
Ssl_session_cache shared: SSL: 1 m;
Ssl_session_timeout 5 m;
 
Ssl_ciphers HIGH :! ANULL :! MD5;
Ssl_prefer_server_ciphers on;
 
Location /{
Proxy_pass http://passport.abc.com;
}
}
 
Upstream www.test.com {
Server 192.168.20.98: 80;
Server 192.168.20.99: 80;

}
 
# HTTPS server
#
Server {
Listen 443 ssl;
Server_name www.test.com;
 
Ssl_certificate/root/keys/www.test.com. crt;
Ssl_certificate_key/root/keys/www.test.com. key;
 
Ssl_session_cache shared: SSL: 1 m;
Ssl_session_timeout 5 m;
 
Ssl_ciphers HIGH :! ANULL :! MD5;
Ssl_prefer_server_ciphers on;
 
Location /{
Proxy_pass http://www.test.com;
}
}

You can use the preceding method to implement multiple domain name reverse proxy for nginx HTTPS.

For more Nginx tutorials, see the following:

Deployment of Nginx + MySQL + PHP in CentOS 6.2

Build a WEB server using Nginx

Build a Web server based on Linux6.3 + Nginx1.2 + PHP5 + MySQL5.5

Performance Tuning for Nginx in CentOS 6.3

Configure Nginx to load the ngx_pagespeed module in CentOS 6.3

Install and configure Nginx + Pcre + php-fpm in CentOS 6.4

Nginx installation and configuration instructions

Nginx log filtering using ngx_log_if does not record specific logs

Nginx details: click here
Nginx: click here

This article permanently updates the link address: