Shulou(Shulou.com)06/02 Report--

The ssl module is not installed by default. If you want to use this module, you need to specify the-with-http_ssl_module parameter when compiling nginx.

Demand:

To make a website with a domain name of www.localhost.cn requires access through https://www.localhost.cn.

10.10.100.8 www.localhost.cn

The steps of the experiment:

1. First make sure that openssl and openssl-devel are installed on the machine

# yum install openssl#yum install openssl-devel

two。 Create the server private key, and the command will ask you to enter a password:

Openssl genrsa-des3-out server.key 1024 / / generate the private key # because it will be used by nginx later. You are required to verify the PAM password every time reload nginx is configured. Since you have to enter a password during generation, you can enter it and then delete it.

3. Create the certificate to sign the request (CSR):

Openssl req-new-key server.key-out server.csr / / generate a certificate authority for issuing public keys

4. Remove the necessary passwords when loading Nginx supported by SSL and using the private key above:

Cp server.key server.key.orgopenssl rsa-in server.key.org-out server.key / / remove the password so that reload does not need a password when asking

5. Configure nginx

Finally, mark the certificate using the above private key and CSR:

Openssl x509-req-days 365-in server.csr-signkey server.key-out server.crt

6. Modify the Nginx configuration file to contain the newly marked certificate and private key:

# vim / usr/local/nginx/conf/nginx.conf http {include server/*.cn;}

7. Modify the Nginx configuration file to contain the newly marked certificate and private key:

# vim / usr/local/nginx/server/www.localhost.cnserver {listen 443; / / listening port is 443 server_name www.localhost.cn; ssl on; / / enable ssl ssl_certificate / etc/pki/tls/certs/server.crt; / / Certificate location ssl_certificate_key / etc/pki/tls/certs/server.key; / / Private key location ssl_session_timeout 5m Ssl_protocols SSLv2 SSLv3 TLSv1; / / specifies that the password is the format supported by openssl: ssl_ciphers Higg _

8. Start the nginx server.

# / usr/local/nginx/sbin/nginx-s reload / / kill the process directly before starting nginx if the environment permits

If "[emerg] 10464400: unknown directive" ssl "in / usr/local/nginx-0.6.32/conf/nginx.conf:74" appears, the ssl module has not been compiled into nginx, and you can add "--with-http_ssl_module" to configure.

For example, [root@localhost nginx-1.4.4] # / configure-- prefix=/usr/local/nginx-- user=www-- group=www-- with-http_stub_status_module-- with-http_ssl_module

9. Test whether the website can be accessed through https

Https://www.localhost.cn

You can also add the following code to redirect port 80 to 443

Server {listen 80th serverroomname www.localhost.cn;#rewrite ^ (. *) https://$server_name$1 permanent;rewrite ^ (. *) $https://$host$1 permanent;}

With the following configuration, you can set up a virtual host to support both HTTP and HTTPS

Listen 80th default ssl 443

Both 80 and 443 can access configurations at the same time:

Server {listen 80 default backlog=2048; listen 443 ssl; server_name www.localhost.com; # ssl on; / / comment out ssl_certificate / usr/local/https/www.localhost.com.crt; ssl_certificate_key / usr/local/https/www.localhost.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers AESGCMV all, export, RC4, Medi IUM, LOWIUM, LOWL, null, ssl_prefer_server_ciphers on

The Nginx setting ignores the 404 error log of the favicon.ico file (log is disabled when favicon.ico does not exist)

In server {... Add the following information within.

Location = / favicon.ico {log_not_found off;access_log off;}

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.