nginx配置支持https访问

Posted 2021-11-23 玩家_名狱

在哪个环境下安装nginx，就要在哪里生成证书，比如在阿里云主机上安装nginx就在阿里云主机上生成证书，如果是在docker中安装nginx就在docker中生成证书。

如果使用docker安装，记得生成容器时映射一个443端口
root@iZbp18qtvejt7jqx8ghcanZ:~# docker run --name nginx -d -p 8080:80 -p 443:443 nginx

使用openssl生成，默认已安装。
1、使用常用的RSA算法生成秘钥文件

openssl genrsa -out server.key 2048

2、根据秘钥文件生成证书文件

openssl req -new -x509 -key server.key -out server.crt -days 365

3、(可选)根据秘钥生成公钥文件，该文件用于客户端与服务端通信

openssl rsa -in server.key -out server.key.public

我选择在docker中安装nginx，安装的nginx默认在/etc/nginx/目录下，我选择在该目录下生成证书文件，其他任意位置都可以，后面可以自定义配置证书位置

root@ab2c91613667:/etc/nginx# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................+++
.....................................................................+++
unable to write 'random state'
e is 65537 (0x10001)

root@ab2c91613667:/etc/nginx# openssl req -new -x509 -key server.key -out server.crt -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CH
State or Province Name (full name) [Some-State]:SiChuan
Locality Name (eg, city) []:Chengdu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:john.cn
Organizational Unit Name (eg, section) []:Dev
Common Name (e.g. server FQDN or YOUR name) []:John
Email Address []:john@johng.cn

root@ab2c91613667:/etc/nginx# openssl rsa -in server.key -out server.key.public
writing RSA key

nginx在/etc/nginx/目录下有个nginx.conf文件，该文件中又会导入/etc/nginx/conf.d/目录中的以conf结尾的文件，里面以conf结尾的文件是配置虚拟主机用的，可以多个。
因此，选择在里面新建一个配置

vim https_nginx.conf

server {
    listen 0.0.0.0:443 ssl;
    # 这里使用上面生成证书时配置的域名
    server_name john.cn;
    # 该虚拟主机默认访问的目录
    root /usr/share/nginx/html;
    # 证书位置
    ssl_certificate   /etc/nginx/server.crt;
    # 证书key的位置
    ssl_certificate_key  /etc/nginx/server.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
         index index.html index.htm;
    }
 }

保存退出
然后重启nginx服务

nginx -s reload 

然后就可以使用https://john.cn访问了，但是会显示说不安全