环境 CentOS 7 X86
文档:
安装:
[root@dpdk ~]# cat /etc/yum.repos.d/nginx.repo
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/centos/7/$basearch/
gpgcheck=
enabled=
[root@dpdk ~]#
[root@dpdk ~]# yum install nginx
配置文件: 默认不需要更改
[root@dpdk ~]# vim /etc/nginx/nginx.conf
[root@dpdk ~]# vim /etc/nginx/conf.d/default.conf
启动:
# nginx
或
# systemctl start nginx
浏览器直接访问即可。
自定义页:拷贝至配置文件指定的目录后,就可以在浏览器中访问了。
[root@dpdk html]# pwd
/usr/share/nginx/html
[root@dpdk html]# ll
total
-rw-r--r--. root root Apr : 50x.html
-rw-r--r--. root root May : index_a.html
-rw-r--r--. root root May : index.html
-rw-r--r--. root root May : lonely.jpg
[root@dpdk html]#
如: http://192.168.7.4/index_a.html
可以设置反向代理,使用 proxy_pass / fastcgi_pass 命令。参见文档。 https://nginx.org/en/docs/beginners_guide.html
配置:
文档已跳转至此处 https://www.nginx.com/resources/admin-guide/?_ga=2.110665989.1403939205.1494566587-476641588.1494561559
如何配https:
https://nginx.org/en/docs/http/ngx_http_ssl_module.html
[root@dpdk ~]# cd /etc/nginx/conf.d/
[root@dpdk conf.d]# touch https.conf
自签名证书:[https][openssl] OpenSSL 公钥、私钥以及自签名证书
生成根证书:
/home/tong/Keys/https [tong@T7] [:]
> openssl genrsa -out root.key
/home/tong/Keys/https [tong@T7] [:]
> openssl req -new -key root.key -out root.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Tartaglia/CN=TTTrust/emailAddress=ca@tartaglia.org"
/home/tong/Keys/https [tong@T7] [:]
> openssl x509 -req -days -sha1 -extensions v3_ca -signkey root.key -in root.csr -out root.cer
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, CN = TTTrust, emailAddress = ca@tartaglia.org
Getting Private key
用根证书签名服务器证书
/home/tong/Keys/https/test [tong@T7] [:]
> openssl genrsa -out server-key.pem
Generating RSA private key, bit long modulus
..........................................+++
.............................+++
e is (0x010001) /home/tong/Keys/https/test [tong@T7] [:]
> openssl req -new -key server-key.pem -out server.csr -subj "/C=CN/ST=BeiJing/L=BeiJing/O=Tartaglia/OU=onescorpion/CN=TTTrust/emailAddress=ones@tartaglia.org"
/home/tong/Keys/https/test [tong@T7] [:]
> openssl x509 -req -days -sha1 -extensions v3_req -CA ../root/root.cer -CAkey ../root/root.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.cer
Signature ok
subject=C = CN, ST = BeiJing, L = BeiJing, O = Tartaglia, OU = onescorpion, CN = TTTrust, emailAddress = ones@tartaglia.org
Getting CA Private Key
/home/tong/Keys/https/test [tong@T7] [:]
> openssl x509 -outform der -in server.cer -out pulicserver.ccerrificate.der
/home/tong/Keys/https/root [tong@T7] [:]
> ll
total 12K
-rw-r--r-- tong tong .3K May : root.cer
-rw-r--r-- tong tong .1K May : root.csr
-rw------- tong tong .7K May : root.key
/home/tong/Keys/https/test [tong@T7] [:]
> ll
total 20K
-rw-r--r-- tong tong May : ca.srl
-rw-r--r-- tong tong May : pulicserver.ccerrificate.der
-rw-r--r-- tong tong .3K May : server.cer
-rw-r--r-- tong tong .1K May : server.csr
-rw------- tong tong .7K May : server-key.pem
编辑 https.conf
[root@dpdk conf.d]# cat https.conf server {
listen ssl;
ssl_certificate /etc/nginx/conf.d/server.cer;
# ssl_certificate_key should be PEM format.
ssl_certificate_key /etc/nginx/conf.d/server-key.pem;
# see 'man ciphers' for detail.
ssl_ciphers 'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';
# ssl_ciphers 'RSA:!NULL'; location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@dpdk conf.d]#
---------------- update @ 20170522 (发给同事的邮件) --------------------
使用如下配置,可以启用nginx的https
[root@dpdk conf.d]# cat https.conf server {
listen 1443 ssl;
ssl_certificate /etc/nginx/conf.d/server.cer;
# ssl_certificate_key should be PEM format.
ssl_certificate_key /etc/nginx/conf.d/server-key.pem;
# see 'man ciphers' for detail.
ssl_ciphers 'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';
# ssl_ciphers 'RSA:!NULL'; location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
[root@dpdk conf.d]#
其中,ssl_ciphers 是用来指定加密算法的。
这个选项的参数和语法,是由openssl决定的,默认是 ALL:!COMPLEMENTOFDEFAULT:!eNULL
具体的语法修改,参考手册 man ciphers 里面的 CIPHER STRINGS 章节。
禁用PFS的途径实际上就是禁用PFS算法,一般带ECDHE / DHE
关键字的算法,都是PFS的。通过测试,我选用了如下关键字,你可以多尝试一下:
'DEFAULT:!DHE:!ECDHE:!kDHE:!kECDHE:!ECDH';
另外,使用如下命令,可以查看你的参数,选用了什么算法:
/home/tong/VM/base [tong@T7] [17:39]
> openssl ciphers -v 'ALL:!COMPLEMENTOFDEFAULT:!eNULL'