Https服务器

Https服务器

第一步、首先生成一对证书。
你需要使用到openssl命令,所以请确认系统已经安装过此包
RHEL6中在/etc/pki/tls/certs 目录有个脚本可以帮助我们简化证书生成的过程,所以
我们首先切换到此目录
[root@rhel6u3-7 ~]# cd /etc/pki/tls/certs/
[root@rhel6u3-7 certs]# make server.key //生成私钥
umask 77 ;
/usr/bin/openssl genrsa -aes128 2048 > server.key
Generating RSA private key, 2048 bit long modulus
…+++
…+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
[root@rhel6u3-7 certs]# openssl rsa -in server.key -out server.key //除去密码以便询问时不需要密码
Enter pass phrase for server.key:
writing RSA key
[root@rhel6u3-7 certs]# make server.csr //生成证书颁发机构,用于颁发公钥
umask 77 ;
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:sh
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:rsyslog
Organizational Unit Name (eg, section) []:rsyslog
Common Name (eg, your name or your server’s hostname) []:xiaonuo
Email Address []:unix.root@hotmail.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:123.com
An optional company name []:it
[root@rhel6u3-7 certs]# openssl x509 -in server.csr -req -signkey server.key -days 365 -out server.crt //颁发公钥,不过由于我们并不是去CA证书中心申请的公钥,所以在使用的时候,客户端浏览器会跳出未受信任的警告。如果你在生产环境下,请去CA申请。
Signature ok
subject=/C=cn/ST=sh/L=sh/O=rsyslog/OU=rsyslog/CN=xiaonuo/emailAddress=unix.root@hotmail.com
Getting Private key
[root@rhel6u3-7 certs]#
第二步、编辑nginx主配置文件,添加ssl模块参数
[root@rhel6u3-7 certs]# vim /usr/local/nginx/conf/nginx.conf
include /usr/local/nginx/server/www2.rsyslog.org; //将虚拟主机单独设置,然后用include包含到主配置文件中,简化主配置文件的配置
[root@rhel6u3-7 certs]# vim /usr/local/nginx/server/www2.rsyslog.org //注意以下配置可以在主配置文件中复制ssl模块信息
server {
listen 443; 监听端口为443
server_name www2.rsyslog.org;

    ssl                  on;  //开启ssl    
    ssl_certificate      /etc/pki/tls/certs/server.crt;  //证书位置    
    ssl_certificate_key  /etc/pki/tls/certs/server.key;  //私钥位置    
    ssl_session_timeout  5m;    
    ssl_protocols  SSLv2 SSLv3 TLSv1;  //指定密码为openssl支持的格式    
    ssl_ciphers  HIGH:!aNULL:!MD5; //密码加密方式    
    ssl_prefer_server_ciphers   on; //依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码    

    location / {    
        root   sites/www2;    //www2.rsyslog.org根目录的相对位置    
        index  index.html index.htm;    
    }    
}

第三步、创建网站的目录、主页、权限。
[root@rhel6u3-7 ~]# cd /usr/local/nginx/sites/
[root@rhel6u3-7 sites]# mkdir www2 //创建网站根目录
[root@rhel6u3-7 sites]# echo This is https://www2.rsyslog.org >www2/index.html //写个主测试页面
[root@rhel6u3-7 server]# chown nginx. /usr/local/nginx/server/ -R //设置配置文件的属主和属组为nginx
[root@rhel6u3-7 server]# chmod 600 /usr/local/nginx/server/ -R //设置配置文件的权限为600
[root@rhel6u3-7 server]# chown nginx. /usr/local/nginx/sites/www2 –R //设置网站根目录的属主和属组为nginx
[root@rhel6u3-7 server]# chmod 755 /usr/local/nginx/sites/www2 –R //设置网站根目录权限为755,其他人可以读取网站信息。

http://tech.ddvip.com/2013-03/1363634244192152.html

上一篇:linux mailx 发送邮件到qq邮箱


下一篇:单机k8s实验环境安装 安装记录