nginx配置ssl的https证书
(2013-12-03 11:01:42) | 标签: | 分类: |
[root@localhost conf]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
......++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: 输入密码
Verifying - Enter pass phrase for server.key: 输入确认密码
[root@localhost conf]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: 输入刚才设置的密码
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: Shanghai
Locality Name (eg, city) [Default City]: Shanghai
Organization Name (eg, company) [Default Company Ltd]: Shanghai Yiye Technology Ltd
Organizational Unit Name (eg, section) []: easeye
Common Name (eg, your name or your server's hostname) []: *.easeye.net
Email Address []: shibo.yu@easeye.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: 直接回车
An optional company name []: 直接回车
[root@localhost conf]# openssl rsa -in server.key -out server_nopass.key
Enter pass phrase for server.key: 输入刚才设置的密码
writing RSA key
[root@localhost conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=Shanghai Yiye Technology Ltd/OU=easeye/CN=*.easeye.net/emailAddress=shibo.yu@easeye.net
Getting Private key
Enter pass phrase for server.key:
[root@localhost conf]#
上面的是自己颁发的证书,不受各个浏览器信任的,要让各个浏览器信任就得在 StartSSl公司官方申请一个免费证书, StartSSL公司的免费证书有效期是一年,也就是说要一年一换。
--------------------------------------------------------------------------------------------------
下面介绍在https://www.startssl.com/ 公司申请免费证书的过程,注意一定要用firefox浏览器(要预先把firefox设置成默认浏览器)全程操作,否则可能不成功。
申请过程部分截图如下:
http://sourceforge.net/projects/pcre/files/pcre (下载pcre-8.33.tar.gz)
安装NGINX前要先安装PCRE正则表达式库:
tar -xvf pcre-8.33.tar.gz
进入pcre-8.33目录
./configure --prefix=/usr/local/pcre 出现以下错误 (一般./configure即可, 笔者这里是直接./configure命令)
configure: error: You need a C++ compiler for C++ support. (解决办法: yum install -y gcc gcc-c++)
make
make install
http://www.openssl.org/source/ (下载openssl-fips-2.0.5.tar.gz)[笔者这里建议不要直接安装openssl-fips-2.0.5.tar.gz这个文件,因为它要求安装一些依赖的库文件,比较麻烦,最好直接用yum安装]
安装openssl库(笔者这里采用yum方式安装):
yum search openssl
yum install openssl-devel.x86_64
http://nginx.org/en/download.html (下载nginx-1.5.7.tar.gz)
tar -xvf nginx-1.5.7.tar.gz
进入nginx-1.5.7目录
./configure --prefix=/usr/local/bin/nginx --with-http_stub_status_module --with-http_ssl_module
make
make install
进入nginx/conf这个目录(而不是nginx-1.5.7目录),把申请好的easeye.key和easeye.cer两个文件拷贝到这个目录下,然后在nginx.conf文件中配置打开ssl的代码:
修改server{...}中的代码
主要关注下面4个点:
①listen 443;
②ssl on;
③ssl_certificate easeye.cer;
④ssl_certificate_key easeye.key;
server {
listen 443;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
location = / {
return 301 http://$host/eventmail/ ;
}
location / {
root html;
index index.html index.htm;
}
location ~* ^/eventmail {
rewrite ^/[^/]+/(.*)$ /eventmail/$1 break;
proxy_pass http://192.168.100.105:8080;
}
location ~* ^/authService {
rewrite ^/[^/]+/(.*)$ /authService/$1 break;
proxy_pass http://192.168.100.105:8081;
}
location ~* ^/billingService {
rewrite ^/[^/]+/(.*)$ /billingService/$1 break;
proxy_pass http://192.168.100.105:8082;
}
location ~* ^/mailwebservice {
rewrite ^/[^/]+/(.*)$ /mailwebservice/$1 break;
proxy_pass http://192.168.100.105:8083;
}
location ~* ^/eventinterface {
rewrite ^/[^/]+/(.*)$ /eventinterface/$1 break;
proxy_pass http://192.168.100.105:8084;
}
location ~* ^/fckattach {
rewrite ^/[^/]+/(.*)$ /fckattach/$1 break;
proxy_pass http://192.168.100.105:8085;
}
location ~* ^/ImportExportLockService {
rewrite ^/[^/]+/(.*)$ /authNginx/$1 break;
proxy_pass http://192.168.100.105:8086;
}
location ~* ^/transmailwebservice {
rewrite ^/[^/]+/(.*)$ /transmailwebservice/$1 break;
proxy_pass http://192.168.100.105:8087;
}
ssl on;
ssl_certificate easeye.cer;
ssl_certificate_key easeye.key;
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
注意启动nginx后需要在windows操作系统的C:\Windows\System32\drivers\etc\host文件中配置192.168.100.105 www.easeye.net
然后在浏览器里输入: https:// www.easeye.net/eventmail就可以直接以https的方式访问网站了。
--------------------------------------------------------------------------------------------------
上面的配置支持IE8以上版本、谷歌浏览器、360浏览器,但不支持firefox浏览器,官方和网上都说不支持Opera浏览器,但笔者这里自己测试的时候却支持了Opera18的这个版本。
下面就重点说明如何配置支持firefox浏览器:
需要在https://www.startssl.com/certs/ca.pem下载ca.pem这个文件。
在http://cert.startssl.com/certs/sub.class1.server.ca.pem下载sub.class1.server.ca.pem这个文件
在nginx/conf目录下执行 cat ca.pem sub.class1.server.ca.pem >> ca-certs.crt 这个命令,此时在conf目录下会生成一个ca-certs.crt文件。
再继续执行cp easeye.cer easeye.cer.bak备份原始的easeye.cer文件。
再继续执行cat ca-certs.crt >> easeye.cer把ca-certs.crt合并到easeye.cer文件中。
然后到nginx/sbin目录下执行nginx -s reload进行重启nginx,正常情况下可以重启,如果遇到如下错误:
nginx: [emerg] PEM_read_bio_X509_AUX("/usr/local/bin/nginx/conf/easeye.cer") failed
( SSL: error:0906D066:PEM routines:PEM_read_bio:bad end line)
就到nginx/conf下vi easeye.cer文件,会发现-----END CERTIFICATE----------BEGIN CERTIFICATE----- 在一行上了,改成如下即可(即:在-----END CERTIFICATE-----和-----BEGIN CERTIFICATE-----之间加回车):
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
再重新执行nginx -s reload进行重启就没问题了。