Nginx configuration HTTPS and self-signed certificate

2016-10-28 Reprint Please specify Source: http://daodaoliang.com/

作者: daodaoliang版本: V1.0.1邮箱： [email protected]

Reference Links: Here and here and official documents

1. Making a server certificate

Server CA Private key:

openssl genrsa -des3 -out ca.key 2048

Make the decrypted CA private key (which is generally not necessary):

openssl rsa -in ca.key -out ca_decrypted.key

CA.CRT CA Root certificate (public key):

openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

2. Create a certificate for the generated Web site and certify it with CA signature

Here, suppose the site domain name is www.example.com

Generate the www.example.com certificate private key:

openssl genrsa -des3 -out www.example.com.pem 1024

Make the decrypted www.example.com certificate private key:

openssl rsa -in www.example.com.pem -out www.example.com.key

To generate a signature request:

openssl req -new -key www.example.com.pem -out www.example.com.csr

Fill in the site domain name in the common name, such as www.example.com can generate the site's certificate, but also can use a generic domain name such as *.example.com to generate all the two-level domain name available site certificate.

To sign with a CA:

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in www.example.com.csr -out www.example.com.crt

Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.

If you execute the signing command, the "I am unable to access the" appears. /.. /ca/newcerts directory "

Modify/etc/pki/tls/openssl.cnf in "DIR =./ca"

And then:

mkdir -p CA/newcertstouch CA/index.txttouch CA/serialecho "01" > CA/serial

Then re-execute the signing command.

Finally, paste the contents of the CA.CRT into the back of WWW.EXAMPLE.COM.CRT. This is more important! Because you do not do this, there may be some browsers that are not supported.

OK, now HTTPS needs to the website private key Www.example.com.key and website certificate www.example.com.crt are ready to complete. Next, start configuring the service side.

3. Configure Nginx

Open a new virtual host and set it in the server{} segment:

listen 443;ssl on;ssl_certificate /path/to/www.example.com.crt;ssl_certificate_key /path/to/www.example.com.key;

Where the path is the path of the Web site certificate that was just generated.

Then use the command to detect the configuration and reload Nginx:

检测配置：nginx -t重新加载：nginx -s reload

4. Optimized Nginx Configuration

HTTPS and HTTP coexistence:

server {        listen 80;        listen 443 ssl;        server_name zou.lu;        root /var/www/html;        #ssl on;   //这行必须要注释掉        ssl_certificate /usr/local/nginx/conf/zou_lu.crt;        ssl_certificate_key /usr/local/nginx/conf/zoulukey.pem;    }

Optimize performance:

In http{}, add:

ssl_session_cache shared:SSL:10m;ssl_session_timeout 10m;

According to the official documentation, 1m in the cache can hold 4,000 sessions.

In the virtual host server{} that is configured for HTTPS, add:

keepalive_timeout 70;

PS: Common errors:

Sometimes, you will find that when the phpMyAdmin and other programs log in, it will mistakenly jump to the HTTP problem. The solution is to locate the location ~. *. (PHP

PHP5)? ${} "in the include fcgi.conf, or after the Fastcgi_param configuration, add:

fastcgi_param HTTPS on;fastcgi_param HTTP_SCHEME https;

Latest First Hottest

• Comments

http://daodaoliang.com/blog/2016/10/28/nginx%E9%85%8D%E7%BD%AEhttps%E5%B9%B6%E8%87%AA%E7%AD%BE%E5%90%8D%E8%AF% 81%e4%b9%a6.html

Nginx configuration HTTPS and self-signed certificate