How to configure multiple SSL certificates for a single Nginx IP address
By default, an Nginx IP address only supports one SSL certificate. You need multiple IP addresses to configure multiple SSL certificates. If the public IP address is limited, you can use the TLS Server Name Indication extension (SNI, RFC 6066), which allows the browser to send the server name (Host) of the request during the SSL Handshake, in this way, Nginx can find the SSL configuration of the corresponding server.
The configuration steps are as follows:
1. Check whether Nginx supports TLS.
$ Nginx-V
...
Tls sni support enabled
...
2. If tls sni support disable occurs, you must upgrade openssl and recompile nginx.
The procedure is as follows:
First Download openssl (version 1.0.1h is recommended)
# Wget http://www.openssl.org/source/openssl-1.0.1h.tar.gz
Download Nginx
# Wget http://nginx.org/download/nginx-1.9.9.tar.gz
Decompress openssl
# Tar-zxvf openssl-1.0.1h.tar.gz
Decompress nginx and compile
# Tar-zxvf nginx-1.9.9.tar.gz
# Cd nginx-1.9.9
#./Configure -- user = www -- group = www -- prefix =/usr/local/nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-http_gzip_static_module -- with-openssl = ../with-ipv6/
# Make & make install
# Check Nginx version information
#/Usr/local/nginx/sbin/nginx-V
Nginx version: nginx/1.9.9
Built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)
Built with OpenSSL 1.0.1h 5 Jun 2014
Tls sni support enabled
Configure arguments: -- user = www -- group = www -- prefix =/usr/local/nginx -- with-http_stub_status_module -- with-http_ssl_module -- with-http_gzip_static_module -- with-ipv6 -- with-openssl = ../openssl-1.0.1h/
Configure the domain name certificate in the Vhost
Server
{
#########
Listen 80;
Listen 443 ssl;
# Listen [:]: 80;
Server_name we. baohua. me;
Root/home/wwwroot/we. baohua. me;
Ssl on;
Ssl_certificate_key/home/wwwroot/cert/we. baohua. me. key;
Ssl_certificate/home/wwwroot/cert/we. baohua. me. crt;
Ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
Ssl_ciphers HIGH :! ANULL :! MD5;
###############
}
Restart Nginx.
Example 2 configure a self-signed SSL certificate for Nginx
The following describes how to create a self-signed SSL certificate. To create a self-signed certificate, you must install openssl. Follow these steps: 1. Create a Key; 2. Create a signature request; 3. Remove the password of the Key; 4. Sign the certificate with the Key. For Certificates prepared for HTTPS, note that the created signature request must be in the same CN as the domain name; otherwise, the certificate cannot be verified by a browser. The above commands are cumbersome, so I have made a shell script to handle the certificate at one time. Download the script: ghost./gencert. sh
Enter your domain [www.example.com]: www.test.com
Create server key...
Generating RSA private key, 1024 bit long modulus
...
... ++
E is 65537 (0x10001)
Enter pass phrase for www.test.com. key: Enter the password
Verifying-Enter pass phrase for www.test.com. key: Enter the password
Create server certificate signing request...
Enter pass phrase for www.test.com. key: Enter the password
Remove password...
Enter pass phrase for www.test.com. origin. key: Enter the password
Writing RSA key
Sign SSL certificate...
Signature OK
Subject =/C = US/ST = Mars/L = iTranswarp/O = iTranswarp/OU = iTranswarp/CN = www.test.com
Getting Private key
TODO:
Copy www.test.com. crt to/etc/nginx/ssl/www.test.com. crt
Copy www.test.com. key to/etc/nginx/ssl/www.test.com. key
Add configuration in nginx:
Server {
...
Ssl on;
Ssl_certificate/etc/nginx/ssl/www.test.com. crt;
Ssl_certificate_key/etc/nginx/ssl/www.test.com. key;
}
The red part is the input. Note that the four passwords are the same. Four files are created in the current directory: • www.test.com. crt: self-signed certificate
• Www.test.com. csr: CERTIFICATE REQUEST
• Www.test.com. key: Key without a password
• Www.test.com. origin. key: Key with a password
The Web server needs to send www.test.com. crt to the browser for verification, and then use www.test.com. key to decrypt the data sent by the browser. The remaining two files do not need to be uploaded to the Web server. Take Nginx as an example. You need to configure: server {
...
Ssl on;
Ssl_certificate/etc/nginx/ssl/www.test.com. crt;
Ssl_certificate_key/etc/nginx/ssl/www.test.com. key;
}
If everything goes well, open your browser and you can access your website through HTTPS. The first access will receive a warning (because our self-signed certificate is not trusted by the browser), import the certificate to the system through the browser (Windows uses IE to import, Mac uses Safari to import) and set it to "trusted". After the computer accesses the website, it will be able to securely connect to the Web server.
How can I configure a certificate on the application server? For example, Tomcat and gunicorn. The correct method is not to configure it so that Nginx can process HTTPS and then connect to the backend application server through the proxy over HTTP, which is equivalent to using Nginx as the security proxy from HTTPS to HTTP, in this way, the HTTP/HTTPS processing capability of Nginx is used, and the shortcomings of the application server that are not good at HTTPS are avoided.