Nginx設定HTTPS連線的方式如下。
事前要求
參考「CentOS 安裝Nginx」安裝Nginx。
建立自簽憑證
在Nginx所在主機的/etc/nginx
目錄,也就是Nginx預設的配置檔目錄,建立一個ssl
目錄,待會要用來存放自簽憑證(Self-signed TLS)與憑證金鑰。
接著利用OpenSSL來產生自簽憑證。在命令列輸入sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
產生自簽憑證與金鑰在剛建立的/etc/nginx/ssl
目錄。
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
...+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*........+...+....+.....+......+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*.......+......+....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
.+......+...+...........+.+.....+.............+...........+...+.+......+...........+...+.......+..............+.........+......+....+.....+.......+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+..........+...........+......+....+..+....+.....+.+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++*....+.....+.........+.+...+...........+...............+....+.....+.+..+....+.........+......+......+.....+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
建立過程中會要求填入下面資料:
- Country Name - 填入兩碼國家代碼,例如"TW"。
- State or Province Name - 填入州或省名,例如"Taiwan"。
- Locality Name - 填入城市名稱,例如"Taipei"。
- Organization Name - 組織名稱,填入公司名,亂填即可。
- Organizational Unit Name - 填入組織部門名稱,亂填即可。
- Common Name - 填入主機名稱或域名,沒有就填入IP。
- Email Address - 填入簽發人員email,亂填即可。
Country Name (2 letter code) [XX]:TW
State or Province Name (full name) []:Taiwan
Locality Name (eg, city) [Default City]:Taipei
Organization Name (eg, company) [Default Company Ltd]:ABC Inc.
Organizational Unit Name (eg, section) []:Dev
Common Name (eg, your name or your server's hostname) []:54.238.246.85
Email Address []:admin@abc.com.tw
查看/etc/nginx/ssl
目錄,可看到生成的憑證檔nginx.crt
和金鑰nginx.key
。
$ ls /etc/nginx/ssl
nginx.crt nginx.key
設定HTTPS
開啟Nginx預設配置檔etc/nginx/nginx.conf
,在預設的server
區塊新增HTTPS設定如下。
listen 443 ssl default_server
- 開啟監聽443 port為SSL port (IPv4)。listen [::]:443 default_server
- 開啟監聽443 port為SSL port (IPv6)。ssl_certificate /etc/nginx/ssl/nginx.crt
- 指定憑證檔的檔案位置。ssl_certificate_key /etc/nginx/ssl/nginx.key
- 指定憑證金鑰的檔案位置。
listen 443 ssl default_server;
listen [::]:443 default_server;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
設定好後的nginx.conf內容如下(已刪除註解部分):
/etc/nginx/nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 4096;
include /etc/nginx/mime.types;
default_type application/octet-stream;
include /etc/nginx/conf.d/*.conf;
server {
listen 80;
listen [::]:80;
listen 443 ssl default_server;
listen [::]:443 default_server;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
server_name _;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
error_page 404 /404.html;
location = /404.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
}
存檔離開,然後輸入sudo service nginx restart
重新啟動Nginx。
測試
在瀏覽器輸入Nginx主機位址,以https://
開頭,例如https://54.238.246.85
,顯示如下。
由於主機瀏覽器不信任自簽憑證,所以正常會出現「你的連線不是私人連線」NET::ERR_CERT_AUTHORITY_INVALID
錯誤。
點選網址列旁的警示符號,顯示憑證資訊如下。
沒有留言:
張貼留言