NGINX開啓HTTPS最佳實踐

1.1檢查Nginx的SSL模塊是否安裝

[root@web-node1 ~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

TLS SNI support enabled

configure arguments: –prefix=/application/nginx-1.6.3 –user=nginx –group=nginx –with-http_ssl_module –with-http_stub_status_module

1.2準備私鑰和證書

1.2.1建立服務器私鑰

[root@web-node1 ~]# cd /application/nginx/conf/

[root@web-node1 conf]# mkdir key

[root@web-node1 conf]# cd key/

[root@web-node1 key]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus

..++++++

…++++++

e is 65537 (0x10001)

Enter pass phrase for server.key:

Verifying – Enter pass phrase for server.key:

1.2.2簽發證書

[root@web-node1 key]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.’, the field will be left blank.

—–

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BJ

Locality Name (eg, city) [Default City]:BJ

Organization Name (eg, company) [Default Company Ltd]:SDU

Organizational Unit Name (eg, section) []:SA

Common Name (eg, your name or your server’s hostname) []:XuBuSi

Email Address []:xubusi@xuliangwei.com

 

Please enter the following ‘extra’ attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

1.2.3刪除服務器私鑰口令

[root@web-node1 key]# cp server.key server.key.ori

[root@web-node1 key]# openssl rsa -in server.key.ori -out server.key

Enter pass phrase for server.key.ori:

writing RSA key

1.2.4生成使用簽名請求證書和私鑰生成自簽證書

[root@web-node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=XuBuSi/emailAddress=xubusi@xuliangwei.com

Getting Private key

1.3開啓Nginx SSL

[root@web-node1 ~]# cat /application/nginx/conf/vhosts/www.conf

server {

server_nameblog.xuliangwei.com;

#listen       80;

listen       443;

ssl on;

ssl_certificate key/server.crt;

ssl_certificate_key key/server.key;

 

location / {

roothtml/blog;

index  index.php index.html index.htm;

access_log /app/logs/blog.xuliangwei.log main;

}

}

1.3.1重啓nginx生效

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload

[root@web-node1 ~]# netstat -lntup|grep 443

tcp        0    0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      1711/nginx

1.3.2測試https

因爲該證書非第三方權威機構頒發，而是咱們本身簽發的，因此瀏覽器會警告，若是是對外的業務須要加密，必須使用商用第三方簽名證書。

1.4配置重定向80端口轉443端口

以上配置有個很差的地方，若是用戶使用時忘了使用https或者443端口，那麼將會報錯，因此咱們須要80端口的訪問轉到443端口並使用ssl加密訪問。

只須要增長一個server段，使用301永久重定向。

[root@web-node1 ~]# tail -5 /application/nginx/conf/vhosts/www.conf

server {

listen 80;

server_name blog.xuliangwei.com;

rewrite ^(.*) https://$server_name$1 permanent;

}

[root@web-node1 ~]# /application/nginx/sbin/nginx -t

nginx: the configuration file /application/nginx-1.6.3/conf/nginx.conf syntax is ok

nginx: configuration file /application/nginx-1.6.3/conf/nginx.conf test is successful

[root@web-node1 ~]# /application/nginx/sbin/nginx -s reload