Shulou(Shulou.com)06/02 Report--

Configure https for nginx and self-sign the certificate

1. Make CA certificate

Ca.key CA private key:

Openssl genrsa-des3-out ca.key 2048

Make the decrypted CA private key (generally not necessary):

Openssl rsa-in ca.key-out ca_decrypted.key

Ca.crt CA root certificate (public key):

Openssl req-new-x509-days 7305-key ca.key-out ca.crt

2. Make the certificate to generate the website and authenticate it with CA signature.

Here, assume that the domain name of the website is blog.creke.net

Generate the private key of the blog.creke.net certificate:

Openssl genrsa-des3-out blog.creke.net.pem 2048

Make the decrypted blog.creke.net certificate private key (Note: in nginx configuration, nginx supports the decrypted format):

Openssl rsa-in blog.creke.net.pem-out blog.creke.net.key

Generate signature request:

Openssl req-new-key blog.creke.net.pem-out blog.creke.net.csr

Fill in the common name with a website domain name, such as blog.creke.net, to generate a certificate for the site, and * you can also use a pan-domain name such as .creke.net to generate a website certificate that is available for all secondary domain names.

Sign with CA:

Openssl ca-policy policy_anything-days 1460-cert ca.crt-keyfile ca.key-in blog.creke.net.csr-out blog.creke.net.crt

Parameter policy allows the signed CA and website certificate to have different countries, place names and other information, while the parameter days is the signature time limit.

If "I am unable to access the. /.. / CA/newcerts directory" appears when the signing command is executed

Modify "dir =. / CA" in / etc/pki/tls/openssl.cnf

Then:

Mkdir-p CA/newcerts

Touch CA/index.txt

Touch CA/serial

Echo "01" > CA/serial

And then re-execute the signature command.

Finally, paste the contents of the ca.crt after the blog.creke.net.crt. This is more important! * * some browsers may not support it because they do not do so.

All right, now the website private key blog.creke.net.key and website certificate blog.creke.net.crt that https needs to use are ready. Next, start configuring the server.

2. Configure nginx

Server {

Listen 443 ssl

Server_name blog.creke.net

Keepalive_timeout 70

Ssl_certificate blog.creke.net.crt; / / the path to the certificate storage of the website ssl_certificate_key blog.creke.net.key; / / the path to the private key storage of the website ssl_session_cache shared:SSL:10m;ssl_session_timeout 5m, the path of the private key storage of the website, the path of the certificate storage of the website, the path of the private key storage of the website, the path of the certificate storage of the website, the path of the certificate storage of the website, the path of the certificate storage of the website, the path of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private key of the website, the path to the storage of the private

}

Third, detect configuration and reload nginx configuration

Detect the configuration:

Nginx-t

Reload:

Nginx-s reload

IV. QA

Sometimes, you will find the problem of mistakenly redirecting http after logging in programs such as phpMyAdmin. The solution is to navigate to "location ~. *. (php | php5)? ${}" and add the following to the include fcgi.conf; or fastcgi_param configuration:

Fastcgi_param HTTPS on

Fastcgi_param HTTP_SCHEME https

Here is the nginx official document on https, which can be used as a reference.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.