2016-10-28 Reprint Please specify Source: http://daodaoliang.com/
作者: daodaoliang版本: V1.0.1邮箱: [email protected]
Reference Links: Here and here and official documents
1. Making a server certificate
Server CA Private key:
openssl genrsa -des3 -out ca.key 2048
Make the decrypted CA private key (which is generally not necessary):
openssl rsa -in ca.key -out ca_decrypted.key
CA.CRT CA Root certificate (public key):
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt
2. Create a certificate for the generated Web site and certify it with CA signature
Here, suppose the site domain name is www.example.com
Generate the www.example.com certificate private key:
openssl genrsa -des3 -out www.example.com.pem 1024
Make the decrypted www.example.com certificate private key:
openssl rsa -in www.example.com.pem -out www.example.com.key
To generate a signature request:
openssl req -new -key www.example.com.pem -out www.example.com.csr
Fill in the site domain name in the common name, such as www.example.com can generate the site's certificate, but also can use a generic domain name such as *.example.com to generate all the two-level domain name available site certificate.
To sign with a CA:
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in www.example.com.csr -out www.example.com.crt
Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.
If you execute the signing command, the "I am unable to access the" appears. /.. /ca/newcerts directory "
Modify/etc/pki/tls/openssl.cnf in "DIR =./ca"
And then:
mkdir -p CA/newcertstouch CA/index.txttouch CA/serialecho "01" > CA/serial
Then re-execute the signing command.
Finally, paste the contents of the CA.CRT into the back of WWW.EXAMPLE.COM.CRT. This is more important! Because you do not do this, there may be some browsers that are not supported.
OK, now HTTPS needs to the website private key Www.example.com.key and website certificate www.example.com.crt are ready to complete. Next, start configuring the service side.
3. Configure Nginx
Open a new virtual host and set it in the server{} segment:
listen 443;ssl on;ssl_certificate /path/to/www.example.com.crt;ssl_certificate_key /path/to/www.example.com.key;
Where the path is the path of the Web site certificate that was just generated.
Then use the command to detect the configuration and reload Nginx:
检测配置:nginx -t重新加载:nginx -s reload
4. Optimized Nginx Configuration
HTTPS and HTTP coexistence:
server { listen 80; listen 443 ssl; server_name zou.lu; root /var/www/html; #ssl on; //这行必须要注释掉 ssl_certificate /usr/local/nginx/conf/zou_lu.crt; ssl_certificate_key /usr/local/nginx/conf/zoulukey.pem; }
Optimize performance:
In http{}, add:
ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;
According to the official documentation, 1m in the cache can hold 4,000 sessions.
In the virtual host server{} that is configured for HTTPS, add:
keepalive_timeout 70;
PS: Common errors:
Sometimes, you will find that when the phpMyAdmin and other programs log in, it will mistakenly jump to the HTTP problem. The solution is to locate the location ~. *. (PHP |
PHP5)? ${} "in the include fcgi.conf, or after the Fastcgi_param configuration, add: |
fastcgi_param HTTPS on;fastcgi_param HTTP_SCHEME https;
Latest First Hottest
http://daodaoliang.com/blog/2016/10/28/nginx%E9%85%8D%E7%BD%AEhttps%E5%B9%B6%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF% 81%e4%b9%a6.html
Nginx configuration HTTPS and self-signed certificate