NGINX配置证书

On By 去哪儿

1、购买证数或自签发证书

自签,前提安装openssl

# 生成一个RSA私钥,1024是加密强度,一般是1024或2048
openssl genrsa -out private.key 1024

# 生成一个证书请求
#生成证书请求,会提示输入省份、城市、域名、Email等,这里主要是保证Common Name用网站域名
#如果没有申请域名,客户端直接通过服务器IP访问,那这里就输入服务器IP。
#另外,对于自签名的证书,建议生成的私钥不要加密
openssl req -new -key private.key -out cert_req.csr

# 自己签发证书,如果要权威CA签发的话,要把cert_req.csr发给CA
openssl x509 -req -days 9999999  -in cert_req.csr -signkey private.key -out server_cert.crt

2、配置NGINX

#安装依赖环境
yum -y install openssl openssl-devel make zlib zlib-devel gcc gcc-c++ libtool pcre pcre-devel
#之前部署过,可通过nginx -V查看是否安装ssl
./configure --prefix=/usr/share/nginx --with-http_ssl_module --with-http_stub_status_module
make

3、配置证书

   server {
        listen       443;
        server_name  192.168.5.137;
        ssl on;
        ssl_certificate /usr/share/nginx/ssl/7243397__jasolar.com.pem;
        ssl_certificate_key /usr/share/nginx/ssl/7243397__jasolar.com.key;

        location  = / {
            root /usr/share/nginx/html;
            index index.html;
        }

4、配置访问80转发443

4.1、创建目录:mkdir /usr/share/nginx/conf.d

4.2、配置https证书,转发代理

http {

    keepalive_timeout  65;
  
    include /usr/share/nginx/conf/conf.d/*.conf;
    root /usr/share/nginx/;
    server {
        listen       443 ssl;
        server_name  yw.jasolar.com;

    	ssl_certificate /usr/share/nginx/ssl/7243397__jasolar.com.pem;
        ssl_certificate_key /usr/share/nginx/ssl/7243397__jasolar.com.key;

        location / {
                root /usr/share/nginx/;
                proxy_pass http://localhost/;
  				proxy_redirect              off;
  				proxy_set_header            Host $host:$server_port;
  				proxy_set_header            X-real-ip $remote_addr;
  				proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;
        }
    }
}

4.3、在conf.d目录下新建f配置a.con访问本地测试文件

    server {
        listen       80;
        server_name  yw.jasolar.com;
        #http://192.168.5.137/a.html
        location  = /a/ {
            alias /usr/share/nginx/a/;
            index a.html;
        }

        #http://192.168.137/b/
        location  ^~ /b/ {
            root /usr/share/nginx/;
            index b.html;
        }

        #http://192.168.137/c/
        location  ~ /c/ {
            root /usr/share/nginx/;
            #return 200 "suc";
            index c.html;
        }

        #http://192.168.137/d/
        location  ~* /d/ {
            root /usr/share/nginx/;
            index d.html;
        }

        #http://192.168.137/e/e.html$
        location  ~* /e/[a-z]\.html$ {
            root /usr/share/nginx/;
            #index e.html;
        }

        #http://192.168.137
        location  / {
            root /usr/share/nginx/html/;
            index index.html;
        }

4.4、新建b.conf,配置访问80请求转成https

    server {
        server_name  jasolar.com;
        rewrite ^/(.*)$ https://yw.jasolar.com/$1 permanent;
    }