Nginx HTTPS proxy configuration

The use of Nginx configuration HTTPS proxy is divided into two, one is the backend for the HTTP application when the front-end agent uses SSL certificate to configure HTTPS reverse proxy, the other is the back end for the HTTPS application, the front-end only to do reverse proxy, this article describes the first scenario configuration method.

Environment:

Os:rhel 6.5

nginx:nginx-1.10.2

I. Configuring an SSL certificate with OpenSSL

       1. Generate server-side private key (key file)
[Root@app2 ssl]# OpenSSL genrsa-des3-out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................+++
.......................................................+++
E is 65537 (0x10001)
Enter Pass phrase for server.key:bing123
Verifying-enter Pass phrase for server.key:bing123
[Root@app2 ssl]# ls
Server.key
The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You will need to enter the password whenever you need to read this file (via the command or API provided by OpenSSL). If it's inconvenient, You can also remove this password, but be sure to take other protective measures!
command to remove the key file password:
OpenSSL rsa-in server.key-out Server2.key (a new key file will be generated, using the file does not require a password, We can change the Server2.key to the name Server.key in the later use process, and the original Server.key another rename save)


2, Generate certificate Signing Request (CSR), the generated CSR file to the CA signed after the formation of the service side of its own certificate.
[Root@app2 ssl]# OpenSSL req-new-key server.key-out Server.crs
Enter Pass phrase for Server.key:
You is about-to is asked to-enter information that'll be incorporated
into your certificate request.
What's about-to-enter is called a distinguished Name or a DN.
There is quite a few fields but can leave some blank
For some fields there would be a default value,
If you enter '. ', the field would be a left blank.
-----
Country Name (2 letter code) [XX]:CN
State or province name (full name) []:china
Locality Name (eg, city) [Default City]:changsha
Organization Name (eg, company) [Default company Ltd]:czhy LTD
Organizational Unit Name (eg, section) []:czhy
Common name (eg, your name or your server ' s hostname) []:czhy
Email Address []:xxx@qq.com


Please enter the following ' extra ' attributes
To is sent with your certificate request
A Challenge Password []:bing123
An optional company name []:xxx@qq.com
[Root@app2 ssl]# ls
Server.crs Server.key
[Root@app2 ssl]#


3, self-signed way to issue our previous application certificate, the resulting certificate is CA.CRT
[Root@app2 ssl]# OpenSSL x509-req-days 3650-in/ssl/server.crs-signkey/ssl/server.key-out/ssl/ca.crt
Signature OK
Subject=/c=cn/st=china/l=changsha/o=czhy ltd/ou=czhy/cn=czhy/emailaddress=xxx@qq.com
Getting Private Key
Enter Pass phrase For/ssl/server.key:
[Root@app2 ssl]# ls
CA.CRT Server.crs Server.key

Second, the Nginx HTTPS configuration

1. Http_ssl_module Module
At that time, due to the installation of Nginx, the Http_ssl_module module was not compiled, causing the Nginx restart failure------Hint: nginx: [Emerg] the "SSL" parameter requires Ngx_http_ssl_ Module in/usr/local/nginx/
So you need to recompile the Nginx to add the required modules.
cd/soft/nginx-1.10.2
./configure--prefix=/usr/local/nginx--with-http_ssl_module
Make
There's an extra nginx in the/SOFT/NGINX-1.10.2/OBJS directory.
Replace the Nginx with the/usr/local/nginx/sbin/
Restart Nginx Service


2. HTTPS configuration

For example, the following configuration implements the effect https://192.168.184.221

Modify nginx.conf file
Server {
         listen       443 SSL;
  &NBSP ;      server_name  httsserver; 


         SSL     On
         ssl_certificate/ssl/ca.crt;
         ssl_certificate_key/ssl/server.key; # If you use a key file with a password, you need to enter the password to create the key file when you start or close the Nginx


         location/{
            Proxy_pass        http://192.168.184.221:8080;
            root   html;
            index  index.html index.htm;
       }
   }