zoukankan      html  css  js  c++  java
  • Nginx配置4-Https网站设置

    Nginx配置4 Https网站设置

    1 检查是否支持ssl模块

    [root@nginx-node01 1.16.0]# ./nginx -V 2>&1 | sed 's/ /
    /g' |grep ssl
    --with-http_ssl_module
    

    如果nginx没有http_ssl_module支持,则需要在编译时加入ssl支持,具体参考:Shell编译安装nginx

    2 配置Server

    公私钥、CA证书生成中制作好的nginx-node01.crt证书文件和nginx私钥文件放入ssl目录

    # HTTPS server
    
     #增加HTTP强制跳转功能
     server{    
     	listen 80;    
     	server_name www.kov.com;   
        return  301 https://$server_name$request_uri;
    }
    
    server {
        listen       443 ssl;
        server_name  www.kov.com;
    
        ssl_certificate      ssl/nginx-node01.crt;
        ssl_certificate_key  ssl/nginx-node01.key;
    
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
    
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
    
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
    

    3 客户端设置域名

    [root@ca CA]# echo 192.168.56.104 www.kov.com >> /etc/hosts
    
    [root@ca CA]# cat /etc/hosts
    ##
    # Host Database
    #
    # localhost is used to configure the loopback interface
    # when the system is booting.  Do not change this entry.
    ##
    127.0.0.1	localhost
    255.255.255.255	broadcasthost
    ::1             localhost 
    fe80::1%lo0	localhost
    ......
    192.168.56.104 www.kov.com
    

    4 客户端curl测试

    客户端添加证书前

    [root@ca CA]# curl https://www.kov.com           
    curl: (60) Peer's Certificate issuer is not recognized.
    More details here: http://curl.haxx.se/docs/sslcerts.html
    
    curl performs SSL certificate verification by default, using a "bundle"
     of Certificate Authority (CA) public keys (CA certs). If the default
     bundle file isn't adequate, you can specify an alternate file
     using the --cacert option.
    If this HTTPS server uses a certificate signed by a CA represented in
     the bundle, the certificate verification probably failed due to a
     problem with the certificate (it might be expired, or the name might
     not match the domain name in the URL).
    If you'd like to turn off curl's verification of the certificate, use
     the -k (or --insecure) option.
    

    客户端添加证书后

    [root@ca CA]# curl --cacert cacert.pem https://www.kov.com
    <!DOCTYPE html>
    <html>
    <head>
    <title>Welcome to www.kov.com!</title>
    </head>
    <body>
    <h1>Welcome to nginx ssl!</h1>
    <p><em>Thank you for using nginx.</em></p>
    </body>
    </html>
    

    5 客户端浏览器验证

    1. NET::ERR_CERT_AUTHORITY_INVALID错误

    解决方法:在keychain中将证书改为信任(下图)

    2. NET::ERR_CERT_COMMON_NAME_INVALID错误

    解决方法:参考《公私钥、证书生成》CA签署证书中补充,重新CA签署多域名证书后,重新在keychain中将证书改为信任。

  • 相关阅读:
    【初心】
    【杂题集】单题小总结
    【模板】(旧)矩阵模板
    【机智题?】【Vijos】【天平称量】
    【杂题集】【51NOD 1267】4个数和为0
    【模板】(旧)Miller Rabin 素数判定
    【杂谈】只是想想
    【杂谈】思考
    【学习?】组合和排序
    【模版】读入优化
  • 原文地址:https://www.cnblogs.com/elfcafe/p/13286318.html
Copyright © 2011-2022 走看看