nginx配置https证书

by pxz


发布于: 2016-04-13 所属分类: linux 服务器 nginx 标签: https 证书  582


<h3 id="h3--ssl-"><a name="一. 颁发不受浏览器信任的SSL证书方法" class="reference-link"></a><span class="header-link octicon octicon-link"></span>一. 颁发不受浏览器信任的SSL证书方法</h3><p><strong>1 . 生成服务器端的私钥(*.key文件)</strong></p> <p>在https请求中,所有的信息都是加密的, 这些加密信息只有通过此私钥才可以解密, 所以必须设置私钥密码, 保护私钥不被人盗用<br>生成过程示例:</p> <p><div style="background-color: rgba(0, 35, 30, 0.972549); font-family: Menlo; color: #d7e9c0;margin-bottom: 16px;">[root<a href="https://github.com/iZ94x7zbxcbZ" title="@iZ94x7zbxcbZ" class="at-link">@iZ94x7zbxcbZ</a> httpsers]# openssl genrsa -des3 -out sgzhang.key 1024<br>Generating RSA private key, 1024 bit long modulus<br>……………………………………………………..++++++<br>………………………………………………………………………………..++++++<br>e is 65537 (0x10001)<br>Enter pass phrase for sgzhang.key: #这里输入你的私钥的密码, 用于保护私钥<br>Verifying - Enter pass phrase for sgzhang.key: #再输一次密码, 用于确认</div> </p> <p><strong>2 . 生成证书请求文件(*.csr文件)</strong></p> <p>csr全称Cerificate Signing Request,即证书请求文件,该文件用于提交给证书颁发机构,证书颁发机构使用其根证书私钥签名就生成了证书公钥文件(*.crt),也就是颁发给客户端用户的证书。<br>生成过程示例:</p> <p><div style="background-color: rgba(0, 35, 30, 0.972549); font-family: Menlo; color: #d7e9c0;margin-bottom: 16px;">[root<a href="https://github.com/iZ94x7zbxcbZ" title="@iZ94x7zbxcbZ" class="at-link">@iZ94x7zbxcbZ</a> httpsers]# openssl req -new -key sgzhang.key -out sgzhang.csr<br>Enter pass phrase for sgzhang.key: #输入你上一步设置的私钥密码<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter ‘.’, the field will be left blank.<br>——-<br>Country Name (2 letter code) [XX]:CN #输入国家名称代码<br>State or Province Name (full name) []:GUANGDONG #输入省份<br>Locality Name (eg, city) [Default City]:SHENZHEN #输入城市名<br>Organization Name (eg, company) [Default Company Ltd]: #组织名称, 可直接回车<br>Organizational Unit Name (eg, section) []:sgzhang #组织单位名称<br>Common Name (eg, your name or your server’s hostname) []:*.sgzhang.com #输入证书使用的域名<br>Email Address []:<a href="mailto:zsgcool@gmail.com">zsgcool@gmail.com</a> #输入邮件地址Please enter the following ‘extra’ attributes<br>to be sent with your certificate request<br>A challenge password []: #直接回车<br>An optional company name []: #直接回车</div> </p> <p><strong>3 . 自已签发证书(生成*.crt文件)</strong></p> <p>相当于自己做CA, 但自己签发的证书是不受信作的证书, 在浏览器端会有个不受信任的提示<br>crt: 全称certificate,即证书。<br>生成示例:</p> <p><div style="background-color: rgba(0, 35, 30, 0.972549); font-family: Menlo; color: #d7e9c0;margin-bottom: 16px;">[root<a href="https://github.com/iZ94x7zbxcbZ" title="@iZ94x7zbxcbZ" class="at-link">@iZ94x7zbxcbZ</a> httpsers]# openssl x509 -req -days 365 -in sgzhang.csr -signkey sgzhang.key -out sgzhang.crt<br>Signature ok<br>subject=/C=CN/ST=GUANGDONG/L=SHENZHEN/O=Default Company Ltd/OU=sgzhang/CN=*.sgzhang.com/emailAddress=<a href="mailto:zsgcool@gmail.com">zsgcool@gmail.com</a><br>Getting Private key<br>Enter pass phrase for sgzhang.key: #输入密钥</div> </p> <h3 id="h3--nginx-https-"><a name="二. 在nginx中添加https配置方法" class="reference-link"></a><span class="header-link octicon octicon-link"></span>二. 在nginx中添加https配置方法</h3><p>上面我们生成了三个文件, 分别是</p> <ul> <li>私钥:.key</li><li>证书请求:.csr</li><li>证书:.crt</li></ul> <p>其中nginx配置中需要用到的有两个文件, 分别是私钥和证书</p> <p>首先贴出没有添加https证书请求的配置</p> <pre><code>server { listen 80; server_name www.sgzhang.com sgzhang.com; access_log /data/logs/www.sgzhang.com.access.log main; root /data/www/www.sgzhang.com; location / { index index.php index.html index.htm; } error_page 404 /404.html; location = /404.html { root /usr/share/nginx/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } </code></pre><p><strong>1. 配置端口</strong></p> <p>注释掉 listen 80;<br>添加 listen 443 ssl;</p> <p><strong>2. 增加两行证书配置</strong></p> <p>ssl_certificate /etc/nginx/httpscer/sgzhang.crt;<br>ssl_certificate_key /etc/nginx/httpscer/sgzhang.key;</p> <p><strong>3. 在 <code>location ~ \.php$ {</code> 里面增加参数 <code>fastcgi_param HTTPS on;</code></strong></p> <p>贴出添加了ssl证书后的配置:</p> <pre><code>server { #listen 80; listen 443 ssl; server_name www.sgzhang.com sgzhang.com; ssl_certificate /etc/nginx/httpscer/sgzhang.crt; ssl_certificate_key /etc/nginx/httpscer/sgzhang.key; access_log /data/logs/www.sgzhang.com.access.log main; root /data/www/www.sgzhang.com; location / { index index.php index.html index.htm; } error_page 404 /404.html; location = /404.html { root /usr/share/nginx/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi_params; } } </code></pre><p><strong>4. 重启nginx</strong></p> <p><div style="background-color: rgba(0, 35, 30, 0.972549); font-family: Menlo; color: #d7e9c0;">[root<a href="https://github.com/iZ94x7zbxcbZ" title="@iZ94x7zbxcbZ" class="at-link">@iZ94x7zbxcbZ</a> nginx]# nginx -s reload<br>Enter PEM pass phrase: #输入私钥密码</div><br>注: 如果你不想每次重启nginx的时候都要输入私钥密码,可以去除私钥的密码,但不建议这么做, 去除方法为<br><code>openssl rsa -in sgzhang.key -out sgzhang.key</code></p> <p><strong>5. 输入域名,前面加上https测试</strong></p> <p>此时会有如下提示, 这是正常的, 点下面的高级, 继续访问就进入网页了.</p> <p><img class="alignnone size-full wp-image-417" src="http://www.sgzhang.com/uploads/2017/01/https01.png" alt="" width="585" height="402" /></p> <p>这是因为使用的是自己签发的证书,证书不受作信任,但是一样能够实现实现加密传输功能, 效果是一样的, 如果不用于浏览器访问, 只用作app的接口, 是可以的</p> <h3 id="h3--ssl-"><a name="三. 申请受浏览器信作的ssl证书方法" class="reference-link"></a><span class="header-link octicon octicon-link"></span>三. 申请受浏览器信作的ssl证书方法</h3><p>如果你的网站是需要供浏览器访问的, 这个时候,就必须申请受信任的证书了, 方法如下:</p> <p><strong>1. 到 <code>https://www.startssl.com/SignUp</code> 注册一个账号并登陆</strong></p> <p><strong>2. 验证域名并申请证书</strong></p> <p>1) 如图选择 Domain Validation, 点 Continue继续</p> <p><img class="alignnone size-full wp-image-418" src="http://www.sgzhang.com/uploads/2017/01/ssl01.png" alt="" width="487" height="407" /></p> <p>2) 填写你的域名, 点 Continue继续</p> <p><img class="alignnone size-full wp-image-419" src="http://www.sgzhang.com/uploads/2017/01/ssl02.png" alt="" width="481" height="263" /></p> <p>3) 选择你的域名邮箱后点击Send Verification Code发送验证码, 如果没有域名邮箱, 需要先去申请域名邮箱, 然后进邮箱收取验证码填入Verification code里面, 如图所示, 然后点Validation验证</p> <p><img class="alignnone size-full wp-image-420" src="http://www.sgzhang.com/uploads/2017/01/ssl03.png" alt="" width="478" height="460" /></p> <p>4) 验证成功, 点击 To “Order SSL Certificate” 去申请ssl证书</p> <p><img class="alignnone size-full wp-image-421" src="http://www.sgzhang.com/uploads/2017/01/ssl04.png" alt="" width="923" height="243" /></p> <p>5) 来到申请证书界面, 下图的第一个输入框输入你需要使用ssl证书的域名, 可以填写多个子域<br>下图的第二个输入框, 需要填写证书申请文件的内容, 生成命令如下图红色字的就是, 下面是我的生成示例:</p> <p><div style="background-color: rgba(0, 35, 30, 0.972549); font-family: Menlo; color: #d7e9c0;">[root<a href="https://github.com/iZ94x7zbxcbZ" title="@iZ94x7zbxcbZ" class="at-link">@iZ94x7zbxcbZ</a> httpscer]# openssl req -newkey rsa:2048 -keyout sgzhang_startssl.key -out sgzhang_startssl.csr<br>Generating a 2048 bit RSA private key<br>…………………………+++<br>……………………………………………………………………………………………………………………………………..+++<br>writing new private key to ‘sgzhang_startssl.key’<br>Enter PEM pass phrase: #设置私钥密码<br>Verifying - Enter PEM pass phrase: #重新输入<br>-——<br>You are about to be asked to enter information that will be incorporated<br>into your certificate request.<br>What you are about to enter is what is called a Distinguished Name or a DN.<br>There are quite a few fields but you can leave some blank<br>For some fields there will be a default value,<br>If you enter ‘.’, the field will be left blank.<br>-——<br>Country Name (2 letter code) [XX]:CN #输入国家名称代码<br>State or Province Name (full name) []:GUANGDONG #输入省份名<br>Locality Name (eg, city) [Default City]:SHENZHEN #输入城市名<br>Organization Name (eg, company) [Default Company Ltd]: #组织名称, 可直接回车<br>Organizational Unit Name (eg, section) []:sgzhang #组织单位名称<br>Common Name (eg, your name or your server’s hostname) []:*.sgzhang.com #输入证书使用的域名<br>Email Address []:<a href="mailto:zsg391@qq.com">zsg391@qq.com</a> #输入邮件地址Please enter the following ‘extra’ attributes<br>to be sent with your certificate request<br>A challenge password []: #直接回车<br>An optional company name []: #直接回车</div><br>执行完成后生成两个文件, 分别是<br>sgzhang_startssl.key : 私钥文件<br>sgzhang_startssl.csr : 证书请求文件</p> <p>下图第二个文本框需要填写的就是 sgzhang_startssl.csr 的内容. 输入完成后点 Submit提交</p> <p><img class="alignnone size-full wp-image-422" src="http://www.sgzhang.com/uploads/2017/01/ssl05.png" alt="" width="905" height="937" /></p> <p>6) 证书申请成功, 点蓝色字 here 下载证书</p> <p><img class="alignnone size-full wp-image-423" src="http://www.sgzhang.com/uploads/2017/01/ssl06.png" alt="" width="786" height="199" /></p> <h3 id="h3--nginx-startssl-"><a name="四. nginx中更改使用startssl证书" class="reference-link"></a><span class="header-link octicon octicon-link"></span>四. nginx中更改使用startssl证书</h3><p><strong>1. 上一步申请的startssl证书已下载到本地, 解压后如图所示:</strong></p> <p><img class="alignnone size-full wp-image-425" src="http://www.sgzhang.com/uploads/2017/01/nginxcrt01.png" alt="" width="132" height="77" /></p> <p>因为我们服务器用的是nginx, 所以把NginxServer.zip解压, 解压出来的文件是 <code>1_www.sgzhang.com_bundle.crt</code> , 这个就是我们nginx上要使用的证书文件, 把它上传至服务器</p> <p>上传完后, 服务器上已经有三个文件</p> <p>sgzhang_startssl.key : 私钥文件<br>sgzhang_startssl.csr : 证书请求文件<br>1_www.sgzhang.com_bundle.crt : 证书文件</p> <p><strong>2. 更改域名配置</strong></p> <p>只需要在原来的基础上把私钥文件和证书文件更改一下就可以<br>ssl_certificate /etc/nginx/httpscer/sgzhang.crt;<br>ssl_certificate_key /etc/nginx/httpscer/sgzhang.key;<br>改成<br>ssl_certificate /etc/nginx/httpscer/1_www.sgzhang.com_bundle.crt;<br>ssl_certificate_key /etc/nginx/httpscer/sgzhang_startssl.key;</p> <p>贴出最终的域名配置:</p> <pre><code>server { #listen 80; listen 443 ssl; server_name www.sgzhang.com sgzhang.com; ssl_certificate /etc/nginx/httpscer/1_www.sgzhang.com_bundle.crt; ssl_certificate_key /etc/nginx/httpscer/sgzhang_startssl.key; access_log /data/logs/www.sgzhang.com.access.log main; root /data/www/www.sgzhang.com; location / { index index.php index.html index.htm; } error_page 404 /404.html; location = /404.html { root /usr/share/nginx/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi_params; } } </code></pre><p><strong>3. 重启nginx</strong></p> <p><code>nginx -s reload</code></p> <p><strong>4. 重新打开网站, 这个时候https旁边看到的是已认证的绿色图标, 说明是受信任的证书了</strong></p>

发表评论

暂无评论

搜索
用户登陆