文章目录

  • 前言
  • 一、安装nginx
  • 二、配置https
  • 1.安装证书
  • 2. 修改nginx配置https
  • 总结


前言

为了提高web应用的安全性,现在基本上都需要支持https访问。在此记录一下自己在nginx下的配置过程。

一、安装nginx

补充:若已安装nginx但没有安装ssl模块,按一下步骤安装
(1)切换到源码包:(nginx下载路径)

cd /usr/local/nginx/nginx-1.13.6

2)配置信息:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

(3)配置完成后,运行make进行编译,千万不要进行make install,否则就是覆盖安装

make

4)然后备份原有已经安装好的nginx(可有可无)

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

(5)重启Nginx

/usr/local/nginx/sbin/nginx -s reload

二、配置https

1.安装证书

nginx支持https协议需要服务器证书,此证书使用openssl命令生成(确保openssl命令可用)
证书生成步骤如下:

1.进入到/usr/local/nginx/conf/下,新建目录crt(mkdir crt)

2.进入到crt(cd crt)

3.开始生成证书,使用命令:openssl genrsa -des3 -out server.key 1024 生成key,会出现以下提示

Generating RSA private key, 1024 bit long modulus
      ......................................................++++++
      .................++++++
      e is 65537 (0x10001)
      Enter pass phrase for server.key:(此处随意输入证书密码开心就行,比如123456)
      Verifying - Enter pass phrase for server.key: (重复输入一次)

4.使用命令openssl req -new -key server.key -out server.csr 生成csr,(注:此步骤生成证书,需要输入国家/地区/公司/个人相关信息,不需要真实,内容差不多就行,可参考下面的加粗部分)

Enter pass phrase for server.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [GB]:CN
    State or Province Name (full name) [Berkshire]:Shandong
    Locality Name (eg, city) [Newbury]:liangshang
    Organization Name (eg, company) [My Company Ltd]:hahah
    Organizational Unit Name (eg, section) []:biubiu
    Common Name (eg, your name or your server's hostname) []:nanxiaoliu
    Email Address []:nanxiaoliu@channelsoft.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:123456
    An optional company name []: (敲回车)

5.cp server.key server.key.org
6.openssl rsa -in server.key.org -out server.key

Enter pass phrase for server.key.org: 123456
             writing RSA key

7.openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

成功则出现Signature ok
到此,证书创建完毕

2. 修改nginx配置https

1.进入到/usr/local/nginx/conf
cp nginx.conf nginx_lzaf.conf
2.修改conf
vim nginx.conf
新增server节点,配置如下:

server {
server_name localhost;
listen 443 ssl;
ssl on;
 # 这个是证书的绝对地址
ssl_certificate /usr/local/nginx/conf/crt/server.crt;
 # 这个是证书key的绝对地址
ssl_certificate_key /usr/local/nginx/conf/crt/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
ssl_prefer_server_ciphers on;
#其它的一些配置
 location / {
     # 这个是你要访问的前端地址 (dist1 是我打包的vue前端)
            root   /usr/local/javavue/dist1;
            index  index.html index.htm;
        }
}

nginx容器里面没有vi命令 linux nginx没有sbin_重启


重启nginx验证:/usr/local/nginx/sbin/nginx -s reload

打开浏览器验证

nginx容器里面没有vi命令 linux nginx没有sbin_java_02


在验证原有的http是否支持:http://81.70.170.21:8080/#/login

配置好后http的能访问 https不能访问
查看443端口是否开放

查看端口号
netstat -ntlp   //查看当前所有tcp端口·

1、开启防火墙 
    systemctl start firewalld

2、开放指定端口
      firewall-cmd --zone=public --add-port=443/tcp --permanent
 命令含义:
--zone #作用域
--add-port=1935/tcp  #添加端口,格式为:端口/通讯协议
--permanent  #永久生效,没有此参数重启后失效

3、重启防火墙
      firewall-cmd --reload

总结

以上配置nginx 配置好了就 ,出现其他问题请联系我O(∩_∩)O哈哈~

对了我会借鉴了