Nginx配置之https

https配置

生成私钥，生成证书签署请求并获得证书，然后在nginx.conf中配置

示例：

server {
  listen       443 ssl;
  server_name  www.idfsoft.com;
  ssl_certificate      /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key  /etc/nginx/ssl/nginx.key;
  ssl_session_cache    shared:SSL:1m;
  ssl_session_timeout  5m;
  ssl_ciphers  HIGH:!aNULL:!MD5;
  ssl_prefer_server_ciphers  on;
  location / {
    root   html;
    index  index.html index.htm;
  }
}

获取证书有方式有两种，其一是openssl实现私有CA签发证书，其二是免费SSL证书申请。在个人实验环境中二者选其一即可，但在企业的生产环境中必须要购买证书进行部署。

openssl实现私有CA签发证书

#创建私有CA存放位置
[root@localhost ~]# mkdir -p /etc/pki/CA
[root@localhost ~]# cd /etc/pki/CA
[root@localhost CA]# mkdir private
#服务端生成密钥
[root@localhost CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
....+++++
.........................+++++
e is 65537 (0x010001)
#提取公钥
[root@localhost CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1R3BrFLzEFub1t8k2CPd
EZcUoXvmSJVGNf99LgISs+zzY7Jl0s97bcNLaB91h/riPNHq9Z/hyeqfTbSVNKeO
s4Z6RuM7m/Bpm1cSt53FOgrz41GBs/DT9V0CzJABCiWjJziQOIn93JElTNOttDKD
AOMwo88u+b1kG/GcSfkLpNn871X/5YKp1YRXMmE8TLfvpp6hXmvojai2MpxIGCcJ
DC/oDtKOKtsPGUAW6xB7ZpIcQsw+n3JMhiCgKsYeGZ1ZKHM9LFTB7s02Xe0pQwhZ
fzQ3N1nR9fpC6eiU3DkV1h4V+2mUD36Omgqz9H3+DrPn+xAfGSVBtxrmBFvxJMAV
+wIDAQAB
-----END PUBLIC KEY-----
#生成自签署证书，请记住这里填写的信息，后面生成的证书签署请求文件填写的信息要与这里完全一致
[root@localhost CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.yf.com
Organizational Unit Name (eg, section) []:www.yf.com
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:1@2.com
[root@localhost CA]# ls
cacert.pem  private
[root@localhost CA]# mkdir certs newcerts crl
[root@localhost CA]# touch index.txt && echo 01 > serial
[root@localhost CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial
[root@localhost CA]# cd /usr/local/nginx/conf/
[root@localhost conf]# mkdir ssl
[root@localhost conf]# cd ssl/
#客户端生成密钥
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....+++++
..............................+++++
e is 65537 (0x010001)
#客户端生成证书签署请求文件，这里填写的信息要与前面的完全一致，不然无法签署成功
[root@localhost ssl]# openssl req -new -key nginx.key -days 365 -out nginx.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.yf.com
Organizational Unit Name (eg, section) []:www.yf.com
Common Name (eg, your name or your server's hostname) []:www.yf.com
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@localhost ssl]# ls
nginx.csr  nginx.key
#CA签署客户端的证书
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 13 12:38:41 2022 GMT
            Not After : Oct 13 12:38:41 2023 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HB
            organizationName          = www.yf.com
            organizationalUnitName    = www.yf.com
            commonName                = www.yf.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                04:7E:A7:7C:55:34:E8:B8:52:D0:C5:CE:FA:C4:14:E2:A5:96:08:A2
            X509v3 Authority Key Identifier:
                keyid:76:81:2D:69:5B:17:F6:52:4C:C4:91:7C:BC:FD:90:21:01:C0:49:F7

Certificate is to be certified until Oct 13 12:38:41 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@localhost ssl]# ls
nginx.crt  nginx.csr  nginx.key
#csr是证书签署请求文件，已完成了它的使命，后续不再用到
[root@localhost ssl]# rm -f nginx.csr
[root@localhost ssl]# ls
nginx.crt  nginx.key
#后续如何部署ssl证书请往后看，点击文章目录跳转到【部署ssl证书实现https】

免费SSL证书申请教程(推荐)

阿里云免费SSL证书介绍：

​ 免费证书只能保护一个域名（带www和不带www可以通用），阿里云个人账号和企业账号均可申请，多个域名可以申请多个免费证书，免费为每个通过实名验证的阿里云账号提供20张DigiCert DV单域名证书。申请教程如下：

一、证书选购

1. 打开阿里云SSL证书申请页面，点击“选购证书”
2. 证书选择
   选择证书类型：免费版（个人）DV

选择品牌：DigiCert
域名类型：单域名（1个域名）
选择域名个数：只能选择1
购买数量：可以购买多个
购买时长：最多购买一年

总配置费用为0元，点击“立即购买”，结算即可。

二、证书申请

购买完的SSL证书是未签发状态，还要提交证书申请，阿里云系统会将请求发送给CA机构审核。

1. 登录到阿里云SSL控制台
2. 在刚购买未签发的免费版SSL，选择“证书申请”
   如下图：

3. 填写SSL证书申请表单

证书绑定域名：免费证书只能填写一个域名，带www和不带www域名可以通用
申请人姓名：按照实际填写
申请人手机号：按照实际填写
申请人邮箱：按照实际填写
所在地：按照实际填写
域名验证方式：参考（阿里云SSL证书申请域名验证选择及操作流程）
CSR生成方式：系统生成

4. 完成DNS验证

如果你的域名在阿里云，直接点图片里的链接跳转。如不是则自行打开自己的域名控制台

把证书申请的DNS验证信息复制过来

添加后看到此项的状态是【正常】的即可

完成上述操作后，回到证书申请界面，点击【验证】，验证成功后点击【提交申请】

5. 下载证书

看到证书的状态是【已签发】，则证明该证书可以实际使用了，点击【下载】

证书下载界面可以看到有这么多类型，这里我选择nginx，因为我要部署到nginx服务器上，根据服务类型选择相对应的

下载到本地后上传至nginx服务器

部署ssl证书实现https

[root@localhost conf]# pwd
/usr/local/nginx/conf
[root@localhost conf]# mkdir ssl

将本地的证书文件上传至nginx服务器

[root@localhost conf]# cd ssl/
[root@localhost ssl]# ls
8617472_www.helloyf.fun.key  8617472_www.helloyf.fun.pem
#我这里改名是为了方便记忆。pem证书可以更名为crt证书
[root@localhost ssl]# mv 8617472_www.helloyf.fun.key nginx.key
[root@localhost ssl]# mv 8617472_www.helloyf.fun.pem nginx.crt
[root@localhost ssl]# ls
nginx.crt  nginx.key

#进行配置https，直接在原有配置中取消这大一段的注释
[root@localhost conf]# vim nginx.conf
    #HTTPS server

    server {
        listen       443 ssl;
        server_name  www.helloyf.fun;		#将此修改为自己的域名

        ssl_certificate      ssl/nginx.crt;		#【pem|crt】证书存放的位置
        ssl_certificate_key  ssl/nginx.key;		#key证书存放的位置

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
[root@localhost conf]# systemctl restart nginx.service

去浏览器访问

此时也可以用域名进行访问，不过我的域名已经用公网IP部署了网站。所以先要在本机的hosts文件写本地域名映射，这样就不会访问我公网的站点了。这里涉及到DNS解析的工作流程，感兴趣可以去查查。

Windows系统中该文件的默认路径：C:\Windows\System32\drivers\etc\hosts

在该文件的最后一行添加IP和域名，保存即可。我这个域名要用于访问博客，所以做完实验后会恢复，恢复的话直接把这一行映射删掉。

这次用域名访问。可以看到访问成功了，并且显示连接是安全的！