做者:吴业亮
博客:https://wuyeliang.blog.csdn.net/html
一、制做ssl证书nginx
# cd /etc/pki/tls/certs # make server.key umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > server.key Generating RSA private key, 2048 bit long modulus ... ... e is 65537 (0x10001) Enter pass phrase:# 输入密码 Verifying - Enter pass phrase:#确认 # 从private key 中删除密码 # openssl rsa -in server.key -out server.key Enter pass phrase for server.key:# input passphrase writing RSA key # make server.csr umask 77 ; \ /usr/bin/openssl req -utf8 -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN# 国家 State or Province Name (full name) []:shanghai # 省 Locality Name (eg, city) [Default City]: shanghai # 市 Organization Name (eg, company) [Default Company Ltd]:openstack # 公司 Organizational Unit Name (eg, section) []:Server World # 部门 Common Name (eg, your name or your server's hostname) []:www.srv.world # 主机名 Email Address []:xxx@srv.world # 邮箱 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:#回车 An optional company name []:# Enter # openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650 Signature ok subject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com Getting Private key
二、修改配置文件 /etc/nginx/nginx.confweb
# 在"server" 章节加入 server { listen 80 default_server; listen [::]:80 default_server; listen 443 ssl; server_name www.srv.world; root /usr/share/nginx/html; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS; ssl_certificate /etc/pki/tls/certs/server.crt; ssl_certificate_key /etc/pki/tls/certs/server.key;
四、重启服务svg
# systemctl restart nginx
配置防火墙ui
# firewall-cmd --add-service=https --permanent # firewall-cmd --reload