基于nginx结合openssl实现https

[root@localhost ~]#systemctl stop firewalld

[root@localhost ~]#setenforce 0

[root@localhost ~]#iptables -F

[root@localhost ~]#yum -y install pcre zlib openssl openssl-devel pcre-devel zlib-devel

[root@localhost ~]#cd /usr/local/nginx-1.16.0

[root@localhost nginx-1.16.0]#./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module

[root@localhost ~]#make && make install

[root@localhost ~]#useradd -M -s /sbin/nologin nginx

[root@localhost ~]#ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin

[root@localhost ~]#nginx

[root@localhost ~]# touch /etc/pki/CA/index.txt

[root@localhost ~]# echo 01 > /etc/pki/CA/serial

[root@localhost ~]# cd /etc/pki/CA/

[root@localhost CA]# umask 066

[root@localhost CA]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 2048

[root@localhost ~]# openssl req -x509 -key /etc/pki/CA/private/cakey.pem -days 7300 -out /etc/pki/CA/cacert.pem

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:WXYC
Organizational Unit Name (eg, section) []:JSB
Common Name (eg, your name or your server's hostname) []:wangfeiyu.com
Email Address []:wangfeiyu@sina.com     

[root@localhost ~]#  cd

[root@localhost ~]# mkdir key
[root@localhost ~]# cd key/
[root@localhost key]# umask 066
[root@localhost key]# openssl genrsa -out service.key 2048
[root@localhost key]# openssl req -new -key service.key -out service.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:WXYC
Organizational Unit Name (eg, section) []:JSB
Common Name (eg, your name or your server's hostname) []:wangfeiyu.com
Email Address []:wangfeiyu@sina.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:   

###建议不设置密码

[root@localhost key]# mkdir /etc/pki/CA/csr
[root@localhost key]# mv service.csr /etc/pki/CA/csr
[root@localhost key]# openssl ca -in /etc/pki/CA/csr/service.csr -out /etc/pki/CA/certs/service.crt -days 365
Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

修改nginx配置文件添加

server {
listen 443 ssl;
server_name nginx.nihao.com;

ssl_certificate /etc/pki/CA/cacert.pem;
ssl_certificate_key /etc/pki/CA/private/cakey.pem;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}

重启nginx服务

修改主机hosts文件    192.168.200.111  nginx.wangfeiyu.com

 成功