一、生成私钥和证书
创建带密钥口令的私钥
root@mysqlmaster:/tmp# openssl genrsa -des3 -out ng.key 1024
Generating RSA private key, 1024 bit long modulus
........++++++
...........................................++++++
e is 65537 (0x10001)
Enter pass phrase for ng.key: 输入口令
Verifying - Enter pass phrase for ng.key: 确认口令
二、创建csr文件
root@mysqlmaster:/tmp# openssl req -new -key ng.key -out ng.csr
Enter pass phrase for ng.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:国家 如cn,hk
State or Province Name (full name) [Some-State]:州或省的名称 如Beijing
Locality Name (eg, city) []:什么地方级别,是城市还是乡镇
Organization Name (eg, company) [Internet Widgits Pty Ltd]:什么组织,如公司,政府
Organizational Unit Name (eg, section) []:组织单位名称
Common Name (eg, YOUR name) []:名字
Email Address []:邮件地址
Please enter the following 'extra' attributes 额外信息
to be sent with your certificate request
A challenge password []: 复杂密码
An optional company name []:
1,创建私钥(去除密钥口令)
openssl rsa -in ng.key -out server.key
输入口令
2,创建CA证书
openssl req -new -x509 -days 3650 -key server.key -out server.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:
Email Address []:
和上面的步骤差不多,根据提示输入证书的信息,国家,管理人邮件,姓名,城市等
将生成的证书放到/etc/nginx/conf.d/目录下,
root@mysqlmaster:/tmp# cp server.crt server.key /etc/nginx/conf.d
三、修改nginx配置文件
vi /etc/nginx/nginx/conf.d/default.conf
#let http to https
server{
listen 80;
server_name localhost;
return 301 https://$server_addr$request_uri;
}
#https server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/nginx/conf.d/server.crt;
ssl_certificate_key /etc/nginx/conf.d/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /xspeeder/xweb/xapp/templates/login;
index login.html;
uwsgi_pass 127.0.0.1:9000;
include uwsgi_params;
}
location ~ .*.(gif|jpg|jpeg|png|bmp|swf|js|css|ico|woff|ttf)$ {
root /xspeeder/xweb;
}
}
注意以上为nginx的配置文件,分为三部分,每一个server函数为一个部分,第一部分为http的配置,第二部分为https的部分,第三个部分是将http重写到https,也就是所有的走80端口的都强制他都443端口去。
sed -i "/listen 80;/{n;s/.*/ server_name 172.17.1.129;/g}" /etc/nginx/conf.d/default.conf
重写匹配
重启nginx 即可访问。
uwsgi --socket 127.0.0.1:9000 --chdir /xspeeder/xweb/ --wsgi-file xweb/wsgi.py --master --processes 2 --threads 2