Nginx配置HTTPS

本文描述了 在AWS上配置Nginx的HTTPS，免費的證書使用Certbot生成

https://certbot.eff.org/#pip-nginx

一、編譯並安裝 Nginx

AWS系統版本：Linux ip-172-31-37-112.eu-west-1.compute.internal 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux

yum -y install gcc gcc-c++ autoconf automake 
yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel

wget http://nginx.org/download/nginx-1.10.2.tar.gz
tar xvf http://nginx.org/download/nginx-1.10.2.tar.gz

mkdir nginx
cd nginx-1.10.2

./configure --prefix=/root/nginx/ –with-http_ssl_module

問題：

./configure: error: SSL modules require the OpenSSL library.
You can either do not enable the modules, or install the OpenSSL library
into the system, or build the OpenSSL library statically from the source
with nginx by using --with-openssl=<path> option.

解決方法：

yum -y install openssl openssl-devel

安裝：

make&make install

測試：

[root@ip-172-31-37-112 conf]# curl http://localhost
<html>
<head><title>403 Forbidden</title></head>
<body bgcolor="white">
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.10.2</center>
</body>
</html>

問題：403錯誤

解決方法：

vi config/nginx.conf，# user nobody; 修改成 user root;

nginx -s reload

curl http://localhost

curl http://localhost
Welcome to nginx!

 

二、配置AWS的安全組

aws的默認是不開放 80,443端口，實例的安全組 > 編輯入站規則，默認只有SSH，須要加入 HTTP和HTTPS

 

三、將域名指向AWS的EC2

http://www.51scala.com

 

四、生成證書

使用cerbot免費域名服務，證書能夠網站上直接生成

https://certbot.eff.org/

我用的是 nginx + Other Unix 的安裝方式

先到webserver的目錄

cd /root/nginx/html

生成證書文件

./certbot-auto certonly --standalone -d www.51scala.com -d 51scala.com

成功了，會提示以下信息：

│ Saving debug log to /var/log/letsencrypt/letsencrypt.log 　　　　 
│ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 
│ Obtaining a new certificate　　　　　　　　　　　　　　　　　　　　　 
│ Performing the following challenges: 　　　　　　　　　　　　　　　　 
│ tls-sni-01 challenge for www.51scala.com 　　　　　　　　　　　　　　 
│ tls-sni-01 challenge for 51scala.com 　　 
│ Waiting for verification...  
│ Cleaning up challenges  
│ Generating key (2048 bits):  
│ /etc/letsencrypt/keys/0000_key-certbot.pem  
│ Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.51scala.com/fullchain.pem. Your cert will
expire on 2017-01-24. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to handmail@163.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

 這樣就獲得了key和csr文件

 

再生成 ssl_dhparam文件

$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

 

五、配置nginx

    server {
        listen       443 ssl;
        server_name  www.51scala.com;

　　　　　　ssl_certificate /etc/letsencrypt/live/www.51scala.com/fullchain.pem;
　　　　　　ssl_certificate_key /etc/letsencrypt/live/www.51scala.com/privkey.pem;
　　　　　　ssl_dhparam /root/nginx/ssl/dhparam.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }

測試一下

./nginx -t
nginx: the configuration file /root/nginx//conf/nginx.conf syntax is ok
nginx: configuration file /root/nginx//conf/nginx.conf test is successful

大功告成。。

六、測試網站的證書

https://www.ssllabs.com

測試結果以下：

 

本文主要參考了：http://blog.csdn.net/cstopery/article/details/51911298