如何为服务器生成SSL证书文件?
openssl genrsa -des3 -out nginx.key 2048
openssl req -new -key nginx.key -out nginx.csr
cp nginx.key nginx.key.org
openssl rsa -in nginx.key.org -out nginx.key
openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
SSL 证书配置规划:
一、检查系统是否支持SSL
上传完配置文件后,如果发现出现类似提示,请检查一下是否有编译SSL选项
# /usr/local/nginx/sbin/nginx -t
nginx: [emerg] unknown directive "ssl" in /usr/local/nginx/conf/vhost/nginx.conf:8
nginx: configuration file /usr/local/nginx/conf/nginx.conf test failed
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.0.12
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)
configure arguments: --user=nobody --group=nobody --prefix=/usr/local/nginx \
--with-http_stub_status_module --with-http_gzip_static_module --with-http_realip_module \
--with-http_sub_module --add-module=./nginx-upstream-jvm-route/ --with-pcre=/root/pcre-8.12
二、如果你有多个不同域名的证书,则需要重新编译openssl,以获得TLS SNI支持
# wget
# tar zxvf ./openssl-0.9.8l.tar.gz
# cd ./openssl-0.9.8l
# ./config enable-tl***t
# make && make install
需要重新编译:
# ./configure --user=nobody --group=nobody --prefix=/usr/local/nginx \
--with-http_stub_status_module --with-http_gzip_static_module \
--with-http_realip_module --with-http_sub_module --add-module=./nginx_upstream_jvm_route/ \
--with-pcre=/root/pcre-8.12 --with-http_ssl_module --with-openssl=/root/openssl-0.9.8l/
# make
# make install
编译完成以后,查看是否支持下TLS,SNI
# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.0.12
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-52)
TLS SNI support enabled
configure arguments: --user=nobody --group=nobody --prefix=/usr/local/nginx \
--with-http_stub_status_module --with-http_gzip_static_module \
--with-http_realip_module --with-http_sub_module --add-module=./nginx_upstream_jvm_route/ \
--with-pcre=/root/pcre-8.12 --with-http_ssl_module --with-openssl=/root/openssl-0.9.8l/
1、在本机上备份证书、私钥、针对每个域名的配置文件
2、在本机nginx上部署应用,视情况开启rewrite
3、要求每个反向代理节点都可以