RedHat 6.6下安装nginx,配置HTTPS

2023-08-04 08:56:34

1、安装依赖包

yum -y install pcre-devel openssl-devel zlib-devel

2、下载nginx安装包到服务器上,当前使用版本nginx-1.15.5.tar.gz当前使用版本

wget http://nginx.org/download/nginx-1.15.5.tar.gz

tar -xvf nginx-1.15..tar.gz

cd nginx-1.15..tar.gz

./configure --sbin-path=/usr/local/sbin --with-http_stub_status_module --with-http_ssl_module --with-threads --with-stream

make -j2

make install

3、配置nginx.conf,设置http的反向代理

server {

        listen    ;

        server_name  192.168.1.100:;

        location / {

            root   html;

            index  index.html index.htm;

        }

        location /java {

            proxy_pass   http://192.168.1.101:8090/java;

        }

    }

nginx -t 检查配置文件,确认配置文件无错之后,启动nginx,如果提示配置文件不存在可以加-C参数指定配置文件位置

4、与tomcat配置https请求,tomcat利用keystore生成证书

keytool -genkey -alias tomcat -keyalg RSA -sigalg SHA1withRSA -keySize  -keystore ./cert/.keystore

按照要求输入相关信息,假设密码为123456

#编辑tomcat conf目录下的人server.xml文件,放开Define a SSL HTTP/1.1 Connector on port 8443这段注释下的HTTPS配置

#添加秘钥文件及密码,最后配置大致如下

     <Connector port="" maxHttpHeaderSize=""

               maxThreads="" minSpareThreads="" maxSpareThreads=""

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"

               keystoreFile="/cert/.keystore" keystorePass=""/>

如需校验对方的证书,可以将对方证书导入第4步中的keystore

keytool -import -v -file /ias.cer -keystore /conf/.keystore 并修改server.xml文件,加入“truststoreFile”及“truststorePass”配置项,最后配置大概如下

     <Connector port="" maxHttpHeaderSize=""

               maxThreads="" minSpareThreads="" maxSpareThreads=""

               enableLookups="false" disableUploadTimeout="true"

               acceptCount="" scheme="https" secure="true"

               clientAuth="false" sslProtocol="TLS"

               keystoreFile="/cert/.keystore" keystorePass=""

               truststoreFile="/cert/.keystore" truststorePass=""/>

5、nginx配置https证书

mkdir /cert

cd /cert

openssl version

OpenSSL 1.0.1e-fips  Feb

# 创建服务器私钥

openssl genrsa -out server.key

#创建签名请求的CSR证书

openssl req -new -key server.key -out server.csr

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

#标记证书使用上述私钥和CSR

openssl x509 -req -days  -in server.csr -signkey server.key -out server.crt

#nginx https配置

server {

    listen  ssl;

    server_name 192.168.1.100:;

    ssl_certificate /cert/server.crt;

    ssl_certificate_key /cert/server.key;

    ssl_session_timeout 5m;

    ssl_protocols TLSv1;

    ssl_ciphers HIGH:!aNULL:!MD5;

    ssl_prefer_server_ciphers on;

    location /java {

        proxy_pass https://192.168.1.101/javatest;

    }

}
上一篇:nginx配置https转发到tomcat(使用自签名的证书)


下一篇:[记录]NGINX配置HTTPS性能优化方案一则