1. 安装OpenSSL
[root@localhost ~]# yum -y install openssl openssl-devel
2. 创建证书文件夹cert
[root@localhost ~]# mkdir /usr/local/nginx/cert
[root@localhost ~]# cd /usr/local/nginx/cert
3. 生成私钥和证书
[root@localhost cert]# openssl req -newkey rsa:2048 -nodes -keyout rsa_private.key -x509 -days 365 -out cert.crt -subj "/C=CN/ST=GD/L=SZ/O=vihoo/OU=dev/CN=192.168.152.3/emailAddress=123@qq.com"
参数说明:
req: 配置参数-x509指定使用 X.509证书签名请求管理(certificate signing request (CSR))."X.509" 是一个公钥代表that SSL and TLS adheres to for its key and certificate management.
-nodes: 告诉OpenSSL生产证书时忽略密码环节.(因为我们需要Nginx自动读取这个文件,而不是以用户交互的形式)。
-days 36500: 证书有效期,100年
-newkey rsa: 2048: 同时产生一个新证书和一个新的SSL key(加密强度为RSA 2048)
-keyout: SSL输出文件名
-out: 证书生成文件名
生成结果如下:
4. nginx开启SSL模块
若已开启则跳过这一步,如果nginx未开启SSL模块,会出现如下错误:
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:102
切换到nginx的源码包
[root@localhost nginx]# cd /usr/local/src/nginx/nginx-1.15.10
查看nginx原有模块
[root@localhost nginx-1.15.10]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.10
built by gcc 9.3.1 20200408 (Red Hat 9.3.1-2) (GCC)
configure arguments: --prefix=/usr/local/nginx # 此处查看nginx的模块信息
配置http_ssl_module模块
[root@localhost nginx-1.15.10]# ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
运行上述命令,等待配置完成,然后执行命令
make # 这里不要进行make install,否则就是覆盖安装
备份原有已安装好的nginx
[root@localhost nginx-1.15.10]# cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
将编译好的nginx覆盖掉原有的nginx(这个时候nginx要停止状态)
[root@localhost nginx-1.15.10]# /usr/local/nginx/sbin/nginx -s stop
[root@localhost nginx-1.15.10]# cp ./objs/nginx /usr/local/nginx/sbin/
cp: overwrite ‘/usr/local/nginx/sbin/nginx’? y # 注意此处需要输入y
查看是否已经加入成功
[root@localhost nginx-1.15.10]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.10
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module # 此处说明已加入成功
5. 配置nginx
# HTTPS server
#
server {
listen 443 ssl;
server_name 192.168.152.3;
ssl_certificate /usr/local/nginx/cert/cert.crt; # 证书目录
ssl_certificate_key /usr/local/nginx/cert/rsa_private.key; # 证书目录
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
try_files $uri $uri/ /index.html; # 防止Vue路由模式为history模式时刷新页面丢失
}
location /api/{
proxy_pass http://127.0.0.1:10005; # 后端接口代理
}
}
5. nginx的SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
6. 配置http转https
server {
listen 80;
server_name 192.168.152.3;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name 192.168.152.3;
ssl_certificate /usr/local/nginx/cert/cert.crt; # 证书目录
ssl_certificate_key /usr/local/nginx/cert/rsa_private.key; # 证书目录
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
try_files $uri $uri/ /index.html; # 防止Vue路由模式为history模式时刷新页面丢失
}
location /api/{
proxy_pass http://127.0.0.1:10005; # 后端接口代理
}
}
