大家都知道证书是要钱的而且价格不低 本地测试的情况下自签证书就可以了

Nginx自签证书开启Https站点

生成证书

环境准备

• touch /etc/pki/CA/index.txt
• touch /etc/pki/CA/serial
• vi /etc/pki/CA/serial 写入序列号01 然后保存

生成根Key

shell> openssl genrsa -des3 -out ca.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:

生成私有Key和CSR(Certificate Signing Request)

shell> openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................+++
................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
shell> openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=China/L=HangZhou/O=CnSixi Inc./OU=Web Security/CN=JiangTianbei"
Enter pass phrase for server.key:

用CA加密Key

shell> openssl rsa -in ca.key -out server.key
Enter pass phrase for ca.key:
writing RSA key

导出证书

shell> openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=China/L=HangZhou/O=CnSixi Inc./OU=Web Security/CN=JiangTianbei
Getting Private key

配置Https站点

直接配置站点

• 打开配置文件 nginx.conf 记得生成证书的目录

  # HTTPS server
  server {
      listen       443 ssl;
      server_name  localhost;
  
      ssl_certificate      /opt/ssl/server.crt; #证书目录下的client.pem
      ssl_certificate_key  /opt/ssl/server.key; #证书目录下的client.key
  
      ssl_session_cache    shared:SSL:1m;
      ssl_session_timeout  5m;
  
      ssl_ciphers  HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers  on;
  
      location / {
          root   html;
          index  index.html index.htm;
      }
  }

配置反向代理

• 打开配置文件 nginx.conf 修改如下

  # HTTPS server
  server {
      listen       443 ssl;
      server_name  localhost;
  
      ssl_certificate      /opt/ssl/server.crt; #证书目录下的client.pem
      ssl_certificate_key  /opt/ssl/server.key; #证书目录下的client.key
  
      ssl_session_cache    shared:SSL:1m;
      ssl_session_timeout  5m;
  
      ssl_ciphers  HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers  on;
  
      location / {
              ### 代理的地址 ##
              proxy_pass  http://member.aoshiwei.com;
              ### force timeouts if one of backend is died ##
              proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
  
              ### 设置代理头 ####
              proxy_set_header Host $host;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  
              ### Most PHP, Python, Rails, Java App can use this header ###
              proxy_set_header X-Forwarded-Proto https;
  
              ### By default we don't want to redirect it ####
              proxy_redirect     off;
          }
      }
  }

重启服务器

• 执行 nginx -s stop && nginx 重启服务器
• 如果未配置环境变量请跳转到安装目录

  shell> cd /usr/local/nginx/sbin
  shell> ./nginx -s stop && ./nginx