nginx无缝编译扩展https
本贴只限用于通过编译安装的nginx,如果用的是yum源安装请卸载后参见 http://www.cnblogs.com/rslai/p/7851220.html 安装nginx部分。
一、重新编译nginx
1、查看nginx是否支持ssl
/usr/local/nginx/sbin/nginx -V
如果显示“--with-http_ssl_module”则表示https模块已安装。
2、 如果没有则需要重新编译。找到之前安装 Nginx 时的编译目录,配置ssl模块
之前安装目录在 /usr/local/src/nginx-1.8.1 ,如果你的在不同目录请坐适当修改。
cd /usr/local/src/nginx-1.8.1 ./configure --with-http_ssl_module make
3、编译好后通过复制到方式升级,不要执行 make install 安装
# 备份原有的 nginx mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.old # 把新编译的nginx拷贝到相应的目录下 cp /usr/local/src/nginx-1.8.1/objs/nginx /usr/local/nginx/sbin/
4、最后进行平滑升级
cd /usr/local/src/nginx-1.8.1 make upgrade
5、再次查看nginx是否支持ssl
/usr/local/nginx/sbin/nginx -V
二、生成私有(不受浏览器信任)的SSL证书,如果你有公有证书请跳过此步
1、生成一个RSA密钥(xh),记住你输入的密码
openssl genrsa -des3 -out xh.key 1024
2、拷贝一个不需要输入密码的密钥文件
openssl rsa -in xh.key -out xh_nopass.key
3、生成一个证书请求
openssl req -new -key xh.key -out xh.csr
4、自己签发证书
openssl x509 -req -days 365 -in xh.csr -signkey xh.key -out xh.crt
5、复制crt和key到指定目录
注:key文件一定要复制刚才生成的 nopass 的key,复制到的目录也可以需要修改
cp xh.crt /etc/ssl/ cp xh_nopass.key /etc/ssl/
三、修改 nginx.conf 配置文件
到此为止升级完成,如果想启用https还需要修改 nginx.conf 文件
1、打开 nginx.conf 配置文件
cd /usr/local/nginx/conf vim nginx.conf
2、修改配置文件如下,注意 root目录,配置文件中 php代码放在了 /home/www,请根据实际情况修改
此配置文件配置了将80端口访问自动转到443端口。
#user www www;
worker_processes 1;
#pid /var/run/nginx.pid;
events {
worker_connections 51200;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
sendfile on;
keepalive_timeout 300;
client_max_body_size 20m;
#include /etc/nginx/conf.d/*.conf;
server
{
#listen [::]:80;
listen 80;
server_name 192.168.3.219;
return 301 https://$server_name$request_uri;
index index.html index.htm index.php;
root /home/www/public;
if (!-e $request_filename)
{
rewrite ^/index.php(.*)$ /index.php?s=$1 last;
rewrite ^(.*)$ /index.php?s=$1 last;
break;
}
location /nginx_status
{
#stub_status on;
#access_log /mydata/nginx.log;
auth_basic "NginxStatus";
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|js|css)$
{
expires 24h;
root /home/www/public;
}
location ~ /.
{
deny all;
}
location ~ [^/].php(/|$) {
#fastcgi_pass remote_php_ip:9000;
fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_index index.php;
include fastcgi.conf;
}
}
server
{
#listen [::]:443 ssl;
listen 443 ssl;
ssl on;
ssl_certificate /etc/ssl/xh.crt;
ssl_certificate_key /etc/ssl/xh_nopass.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
server_name 192.168.3.219;
index index.html index.htm index.php;
root /home/www/public;
if (!-e $request_filename)
{
rewrite ^/index.php(.*)$ /index.php?s=$1 last;
rewrite ^(.*)$ /index.php?s=$1 last;
break;
}
location /nginx_status
{
#stub_status on;
#access_log /home/www/nginx.log;
auth_basic "NginxStatus";
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|js|css)$
{
expires 24h;
root /home/www/public;
}
location ~ /.
{
deny all;
}
location ~ [^/].php(/|$) {
#fastcgi_pass remote_php_ip:9000;
#fastcgi_pass unix:/dev/shm/php-cgi.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}
}
3、不停止nginx服务重读配置文件
/usr/local/nginx/sbin/nginx -s reload
参考文献: