前期准备
# 查看 nginx 是否已经安装及具体版本号 sh-4.2# rpm -qa | grep -i nginx nginx-1.12.2-1.el7_4.ngx.x86_64
# 查看 nginx 的安装目录 sh-4.2# rpm -ql nginx-1.12.2-1.el7_4.ngx.x86_64 /etc/logrotate.d/nginx /etc/nginx /etc/nginx/conf.d /etc/nginx/conf.d/default.conf /etc/nginx/fastcgi_params /etc/nginx/koi-utf /etc/nginx/koi-win /etc/nginx/mime.types /etc/nginx/modules /etc/nginx/nginx.conf /etc/nginx/scgi_params /etc/nginx/uwsgi_params /etc/nginx/win-utf /etc/sysconfig/nginx /etc/sysconfig/nginx-debug /usr/lib/systemd/system/nginx-debug.service /usr/lib/systemd/system/nginx.service /usr/lib64/nginx /usr/lib64/nginx/modules /usr/libexec/initscripts/legacy-actions/nginx /usr/libexec/initscripts/legacy-actions/nginx/check-reload /usr/libexec/initscripts/legacy-actions/nginx/upgrade /usr/sbin/nginx /usr/sbin/nginx-debug /usr/share/doc/nginx-1.12.2 /usr/share/doc/nginx-1.12.2/COPYRIGHT /usr/share/man/man8/nginx.8.gz /usr/share/nginx /usr/share/nginx/html /usr/share/nginx/html/50x.html /usr/share/nginx/html/index.html /var/cache/nginx /var/log/nginx sh-4.2#
将 证书相关 文件 放到 /etc/nginx/https_cert目录里。
新建这个https_cert目录,其实可以指定的别的目录,只要配置文件引用目录正确就行了。
https证书的获取,可以查看密码和证书-https(ssl/tls)之证书的概述及获取和网站部署
一、配置https的操作:
1.1、开启443 端口
listen 443 ssl;
1.2、添加密钥
备注:nginx 即可以 读取 crt 文件 也可以读取 pem 文件。
# 这里是 相对路径 ,绝对路径是 /etc/nginx/https_cert/huaijiujia_ca_chained.crt # 因为 nginx的主配置文件路径是 /etc/nginx/nginx.conf # 证书文件,里面有公钥 ssl_certificate https_cert/huaijiujia_ca_chained.crt; # 私钥 ssl_certificate_key https_cert/huaijiujia_private.key;
(1)补充:ssl_client_certificate /etc/ssl/certs/ca.crt;
这个是客户端证书文件,用来验证客户端的身份的,比如访问银行网站需要的K宝证书文件。一般的网站基本用不到。
(2)补充:一般申请的证书,会给出三个文件。
第一个是证书文件,里面有公钥。第二个是私钥。第三个是证书组文件,因为公钥是由中间机构签发的,一些浏览器可能不能识别,所以证书组就是为了证明从根证书到中间签发机构都是可信的。
SSLCertificateFile /etc/ssl/example_com.crt SSLCertificateKeyFile /etc/ssl/private/example_com.key SSLCertificateChainFile /etc/ssl/example_com.ca-bundle
在nginx配置文件中:只有ssl_certificate
和 ssl_certificate_key
,所以需要将证书文件和证书组文件,组合在一起,生成一个证书链文件。
cat example_com.crt example_com.ca-bundle > example_com.chained.crt
记得一定要先将证书放在前面,然后将证书组放在后面。这样才能解析成功。
但是在实际生成过程中:证书链生成的还是有问题。实际用cat生成时,中间的
-----END CERTIFICATE----- -----BEGIN CERTIFICATE----- ### 会合并成一行 -----END CERTIFICATE----------BEGIN CERTIFICATE----- ### 特别注意:切分的时候,每一行的格式都是统一的,前面都是 ----- 五个破折号
下面举例,正确的证书链文件内容:
-----BEGIN CERTIFICATE----- MIIFbDCCBFSgAwIBAgISA5WD5KQw2Su8QWrrv6G5nlVfMA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODExMjMxMDAwMjdaFw0x OTAyMjExMDAwMjdaMB0xGzAZBgNVBAMTEnd3dy5odWFpaml1amlhLmNvbTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPB7xpQSEdD5ZvYU80fBiWaTRHa4 p1ONueojFD6NabMRMw2ct4PLHsiIt8z5hGF02JhKb/ZxLIIBh5dtqFxAy4OcYRWa J+7Qi+1tgD695t0JkqsW/KGbbZtZRFHikhx4TTLyd5IWuEKjJA87+8ufgCv/zuEM hpdqNs5YhjqrVNjLo5yIIwVWF4FRs3rkSqUthaw6bF3+ER5Cnlrmy4nM6t811KuS aFAFU9ZpfxzbtFefVNZGn79CxMf9huvHUklJTZeUmtr8SkfRLSC8yclP2vW4l70G EiT1UK7jPb+/x2qynnDMv+/EfYk3oJq1emTg1UNizLmKPAItWDhI50BGKa8CAwEA AaOCAncwggJzMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYI KwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUCG4SDRTDi0shGxdi/x7S ZFrxaSswHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUH AQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5 cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5 cHQub3JnLzAtBgNVHREEJjAkgg5odWFpaml1amlhLmNvbYISd3d3Lmh1YWlqaXVq aWEuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW eQIEAgSB9QSB8gDwAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV55hB7zFYA AAFnQDpiswAABAMARzBFAiEAyP9RowhmAeFy0FIw864vexsfEi7+I8eXXgRBgdma lXACIFuyRLDwlDSymNcSibTq/RJt4AlYtVAs2zA9lOUOGwN4AHYAY/Lbzeg7zCzP C3KEJ1drM6SNYXePvXWmOLHHaFRL2I0AAAFnQDpiuAAABAMARzBFAiEAtLhwBegO 6Hvo3lTzkb1OBW1pmI00QMalMyyp7a8l3DICICdx6IzPP8Q9Aj5nwHXr7TZId+ye pT2ApN87VE74fiT8MA0GCSqGSIb3DQEBCwUAA4IBAQBJZ0dI9Uq8WzRagYaRZI3p BelzOZ0ImRW3iipi/XBHFB3hXbEIMBvaPlzduZzYe70WRYJFkHTCdVWrUqhUuEv9 B0Q5ovW9KDcrDJVw7C9Y4UbpfDnq6NBxXXRr3azNUahCoYIVvTTNcfFiWXvhW2Ie Yw3v1dfH4pxdeZodBInaikJ1o2IAYWXQVRuX06ywcItFIcH9aUuvP8g0DEEe3xwf iIV3IJ+rUzEHLh/r+9CabSotT5TqwvYPLWnhBUD3YaD56VXGlipdZ7bQiH80CUXw WvmDH84qEJ+D7btxFBYl+OP7irl3cdcQNmYYJOQWyMOK0h+AhSEBx7qpDOC/Ew1b -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----
1.3、配置 SSL协议和加密方式
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5;
二、配置http2的操作:
2.1、在443 监听端口时,配置 http2 标签。
listen 443 http2 ssl;
2.2、提高加密的方式:【http 2 需要安全度高的加密方式】
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
三、具体配置文件:
server { # listen 80; listen [::]:443 ssl http2 ipv6only=on; listen 443 http2 ssl; server_name www.huaijiujia.com; ssl_certificate https_cert/huaijiujia_ca_chained.crt; ssl_certificate_key https_cert/huaijiujia_private.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # ssl_ciphers HIGH:!aNULL:!MD5; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; root /var/www/www.huaijiujia.com; #wordpress local index index.php index.html index.htm; location / { # try_files $uri $uri/ =404; try_files $uri $uri/ /index.php?q=$uri&args; } location ~ \.php$ { try_files $uri =404; # fastcgi_pass 127.0.0.1:9000; # fastcgi_pass unix:/var/run/php-fpm/php-fcgi.sock; fastcgi_pass unix:/dev/shm/php-fcgi.sock; # put into memorey ,but get error , i give up,finally get ok https://blog.linuxeye.cn/364.html fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }
四、其他问题
注意nginx开启了,https后,要记得 防火墙 开 443 端口的 tcp
firewall–cmd —permanent —add–port=443/tcpfirewall–cmd —reload
如果是源码编译安装nginx,可能没有安装ssl模块,需要重新 编译安装。
[楼主是用yum安装,和源码安装的目录位置 可能不同 ]
1.the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:37 原因是nginx缺少http_ssl_module模块,编译安装时带上--with-http_ssl_module配置就可以了 2.如果已经安装过nginx,想要添加模块看下面 1)切换到nginx源码包 cd /usr/local/src/nginx-1.11.3 2)查看ngixn原有的模块 /usr/local/nginx/sbin/nginx -V 3)重新配置 ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module 4)重新编译,不需要make install安装。否则会覆盖 make 5)备份原有已经安装好的nginx cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak 6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止) cp ./objs/nginx /usr/local/nginx/sbin/ 这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖 7)启动nginx,查看nginx模块,发现已经添加 /usr/local/nginx/sbin/nginx -V