nginx配置https是需要CA颁发证书的,为了测试方便,我们可以使用自签名证书。

安装openssl 安装包和出现问题处理参考:Windows 下OpenSSL安装过程及错误解决办法_发呆的程序猿_openssl安装

本次提供windows  64bit  轻量版安装包:Win64OpenSSL_Light-3_0_0.rar-网络安全文档类资源

按照正常软件安装流程安装即可。

说明:一般Linux系统都有openssl,可以直接到Linu系统上直接操作。

如何生成自签名证书
我们需要为服务端和客户端准备私钥和公钥
说明:执行后续步骤前请创建ca文件夹,路径为:E:\ca

//生成服务器端私钥

openssl genrsa -out E:/ca/server.key 2048

//生成服务器端公钥

openssl rsa -in E:/ca/server.key -pubout -out E:/ca/server.pem

生成CA证书
// 生成 CA 私钥

openssl genrsa -out E:/ca/ca.key 2048

openssl req -new -key E:/ca/ca.key -out E:/ca/ca.csr
注意:执行上面第二个命令会出现以下需要填写的项目,可以直接回车跳过,但是Common Name那一项建议填写你的域名,如果是本地的话,可以写localhost,此处我是随便填写一些数据。

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangxi
Locality Name (eg, city) []:nanning
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:test

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

//生成CA证书

openssl x509 -req -in E:/ca/ca.csr -signkey E:/ca/ca.key -out E:/ca/ca.crt -days 3650

生成服务器证书
//服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件

openssl req -new -key E:/ca/server.key -out E:/ca/server.csr

//向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书

openssl x509 -req -CA E:/ca/ca.crt -CAkey E:/ca/ca.key -CAcreateserial -in E:/ca/server.csr -out E:/ca/server.crt -days 3650

注意:执行上面第一个命令会出现以下需要填写的项目,可以直接回车跳过,但是Common Name那一项建议填写你的域名,如果是本地的话,可以写localhost,此处我是随便填写一些数据。

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:guangxi
Locality Name (eg, city) []:nanning
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:test

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

生成cer文件
//使用openssl 进行转换

openssl x509 -in E:/ca/server.crt -out E:/ca/server.cer -outform der -days 3650

配置nginx
我们拿到CA签发的这个证书后,需要将证书配置在nginx中。 首先,我们将server.crt和server.key拷贝到nginx的配置文件所在的目录 其次,在nginx的配置中添加如下配置:

listen 9527 ssl;
        server_name localhost;
        #为虚拟主机指定pem格式的证书文件  
        ssl_certificate      E:\ca\server.crt;  
        #为虚拟主机指定私钥文件  
        ssl_certificate_key  E:\ca\server.key;   
        #客户端能够重复使用存储在缓存中的会话参数时间  
        ssl_session_timeout  5m;  
        #指定使用的ssl协议   
        ssl_protocols  SSLv3 TLSv1;   
        #指定许可的密码描述  
        ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;   
        #SSLv3和TLSv1协议的服务器密码需求优先级高于客户端密码  
        ssl_prefer_server_ciphers   on;

 圈起来部分为新增的部分。

此时即可使用https访问。

http请求自动跳转到https
新增一个server,定义server监听其他端口号,将所有该端口号的请求转发到对应server

server { 
        charset utf-8;
        listen 80; 
        server_name localhost;
        rewrite ^(.*) https://$host$1 permanent;
}