Shulou(Shulou.com)06/02 Report--

Here nginx to build https server, there must be several requirements, the first is to install openssl-devel, of course, this does not seem to compile and add ssl module will make an error. If there is no way to compile, you can refer to my previous blog, of course, there are a lot of materials on baidu and google.

1. Confirm that the nginx server is running normally.

Lsof-iRO 80

# check whether port 80 is enabled properly. Nginx defaults to port 80 instead of port 443

Netstat-ntpl | grep nginx | wc-lss-ntpl | grep nginx | wc-l

# this is also a method, wc-l is to count the number of rows in the result

2. Back up the original main configuration file

Cp nginx.conf nginx.conf.https

3. Use openssl to generate untrusted certificates and private keys

Openssl genrsa-des3-out https_1.key 2048

# first create a private key and be prompted to enter a password, which must be backed up. In a production environment, the fewer people you know, the better, because you need a password for operations such as normal restart and stop of the nginx server.

# genrsa: command to generate RSA key, des3: secret decryption algorithm, out: output file name, 2048: indicates that the length is also called size, I am still used to length.

Openssl req-new-x509-days 3650-key https_1.key-out https_1.crt

# use the previous private key to create an untrusted certificate (but at least it's a certificate)

# req: generate a certificate issuance application order.-new: indicates a new request. X509 issues a certificate in x.509 format, indicating the number of days that the certificate is valid. Key specifies the private key file, and out: the output file name.

4. Modify nginx configuration file

Note: the following operations are configured in a server tag

Worker_processes 1 leading events {worker_connections 1024;} http {include mime.types; default_type application/octet-stream; sendfile on; keepalive_timeout 65; server {listen 443; server_name localhost; ssl on; ssl_certificate / usr/local/nginx/conf/https_1.crt Ssl_certificate_key / usr/local/nginx/conf/https_1.key; ssl_session_timeout 5m; ssl_protocols SSLv3 TLSv1; ssl_prefer_server_ciphers on; location / {root html; index index.html index.htm;} error_page 500502 503504 / 50x.html Location = / 50x.html {root html;}

# # #

Listen: the port on which to listen

Server_name: it's actually a domain name.

Ssl on: enable ssl

Ssl_certificate: indicates the path where the certificate is stored. It is recommended to use the absolute path.

Ssl_certificate_key: indicates the private key path. Absolute path is recommended.

Ssl_session_timeout 5m: indicates that the certificate is in the life cycle of the client cache, especially as a reminder that a certificate is a very expensive thing to keep.

Ssl_protocols SSLv3 TLSv1: protocol used by the certificate

The server password requirement of the ssl_prefer_server_ciphers on:SLv3 and TLSv1 protocols takes precedence over the client password (I don't know, but I'm sure it should be an optimization parameter)

Ssl_ciphers Higgl: I have no use for this parameter because I don't know how to use it.

# # #

5. Restart nginx

/ usr/local/nginx/sbin/nginx-s reload

# be sure to check the port situation after restarting, because not every restart can be successful.

Lsof-iRU 443

# if there is no indication that the restart is not successful

Tip: you can restart after killall nginx. The firewall should allow port 443 instead of port 80.

6. Use client access to view the results

Vpersoning: if something goes wrong again, you can talk about me in private. I'm a novice, but I like questions.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.