本文描述了 在AWS上配置Nginx的HTTPS,免费的证书使用Certbot生成
https://certbot.eff.org/#pip-nginx
1、编译并安装 Nginx
AWS系统版本:Linux ip-172-31-37-112.eu-west-1.compute.internal 3.10.0-327.el7.x86_64 #1 SMP Thu Oct 29 17:29:29 EDT 2015 x86_64 x86_64 x86_64 GNU/Linux
yum -y install gcc gcc-c++ autoconf automake yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel wget http://nginx.org/download/nginx-1.10.2.tar.gz tar xvf http://nginx.org/download/nginx-1.10.2.tar.gz mkdir nginx cd nginx-1.10.2 ./configure --prefix=/root/nginx/ –with-http_ssl_module
问题:
./configure: error: SSL modules require the OpenSSL library. You can either do not enable the modules, or install the OpenSSL library into the system, or build the OpenSSL library statically from the source with nginx by using --with-openssl=<path> option.
解决方法:
yum -y install openssl openssl-devel
安装:
make&make install
测试:
[root@ip-172-31-37-112 conf]# curl http://localhost <html> <head><title>403 Forbidden</title></head> <body bgcolor="white"> <center><h1>403 Forbidden</h1></center> <hr><center>nginx/1.10.2</center> </body> </html>
问题:403错误
解决方法:
vi config/nginx.conf,# user nobody; 修改为 user root; nginx -s reload curl http://localhost curl http://localhost Welcome to nginx!
2、配置AWS的安全组
aws的默认是不开放 80,443端口,实例的安全组 > 编辑入站规则,默认只有SSH,需要加入 HTTP和HTTPS
3、将域名指向AWS的EC2
http://www.51scala.com
4、生成证书
使用cerbot免费域名服务,证书可以网站上直接生成
https://certbot.eff.org/
我用的是 nginx + Other Unix 的安装方式
先到webserver的目录
cd /root/nginx/html
生成证书文件
./certbot-auto certonly --standalone -d www.51scala.com -d 51scala.com
成功了,会提示如下信息:
│ Saving debug log to /var/log/letsencrypt/letsencrypt.log │ Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org │ Obtaining a new certificate │ Performing the following challenges: │ tls-sni-01 challenge for www.51scala.com │ tls-sni-01 challenge for 51scala.com │ Waiting for verification... │ Cleaning up challenges │ Generating key (2048 bits): │ /etc/letsencrypt/keys/0000_key-certbot.pem │ Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/www.51scala.com/fullchain.pem. Your cert will expire on 2017-01-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you lose your account credentials, you can recover through e-mails sent to handmail@163.com. - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
这样就得到了key和csr文件
再生成 ssl_dhparam文件
$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
5、配置nginx
server { listen 443 ssl; server_name www.51scala.com;
ssl_certificate /etc/letsencrypt/live/www.51scala.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.51scala.com/privkey.pem;
ssl_dhparam /root/nginx/ssl/dhparam.pem;
ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
测试一下
./nginx -t nginx: the configuration file /root/nginx//conf/nginx.conf syntax is ok nginx: configuration file /root/nginx//conf/nginx.conf test is successful
大功告成。。
6、测试网站的证书
https://www.ssllabs.com
测试结果如下:
本文主要参考了:http://blog.csdn.net/cstopery/article/details/51911298