一、相应模块
1、ngx_http_ssl_module模块
a、ssl on | off
Enables the HTTPS protocol for the given virtual server
b、ssl_certificate file
当前虚拟主机上与其证书匹配的私钥文件
c、ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];
支持ssl协议版本,默认为后三个
d、ssl_session_cache off | none | [builtln[:size]] [shared:name:size];
builtin[size]:使用OpenSSL内建的缓存,此缓存为每worker进程私有
[shared:name:size]:在各worker之间使用一个共享的缓存
e、ssl_session_timeout time
客户端一侧的连接可以复用ssl session cache中缓存的ssl参数的有效时长。
f、配置示例
(1)、我们在192.168.10.13上配置一个https的虚拟主机。我们把192.168.10.14节点作为CA服务器。
(2)、我们先在192.168.10.14上创建一个CA
1)、首先我们创建私钥
[root@node2 ~]# (umask 077;openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ............................................................+++ .....................................+++ e is 65537 (0x10001) [root@node2 ~]# ll /etc/pki/CA/private/cakey.pem -rw------- 1 root root 1675 Jun 17 20:09 /etc/pki/CA/private/cakey.pem
2)、然后我们创建一个自签证书
[root@node2 ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/private/cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Chengdu Locality Name (eg, city) [Default City]:Chengdu Organization Name (eg, company) [Default Company Ltd]:wohaoshuai Organizational Unit Name (eg, section) []:devops Common Name (eg, your name or your server‘s hostname) []:cahost.wohaoshuai.com Email Address []:
3)、创建相应的文件和路径