1. 安装 nginx
1.1 nginx 包及其依赖包下载出于模块的依赖性,Nginx 依赖以下三个包:
gzip 模块需要 zlib 库();
rewrite 模块需要 pcre 库();
ssl 功能需要 openssl 库();
分别下载它们的最新稳定版(截至本文最新稳定版分别是 zlib-1.2.8.tar.gz、pcre-8.36.tar.gz、openssl-fips-2.0.9.tar.gz),最后下载 Nginx 最新( )稳定版(截至本文最新稳定版是 nginx-1.7.10.tar.gz)。依赖包安装次序为:openssl、zlib、pcre,最后安装 Nginx 包。
1.2 nginx 包及其依赖包安装 1.2.1 安装 openssl $ tar -zxvf openssl-fips-2.0.9.tar.gz
$ cd openssl-fips-2.0.9
$ ./config
$ make
$ sudo make install
1.2.2 安装 zlib $ tar -zxvf zlib-1.2.8.tar.gz
$ cd zlib-1.2.8
$ ./configure
$ make
$ sudo make install
1.2.3 安装 pcre $ tar -zxvf pcre-8.36.tar.gz
$ cd pcre-8.36
$ ./configure
$ make
$ sudo make install
1.2.4 安装 nginx $ tar -zxvf nginx-1.7.10.tar.gz
$ cd nginx-1.7.10
$ ./configure --with-pcre=../pcre-8.36 --with-zlib=../zlib-1.2.8 --with-openssl=../openssl-fips-2.0.9
$ make
$ sudo make install
nginx 被默认安装在 /usr/local/nginx 目录。
1.3 验证 Nginx 是否安装成功 $ sudo /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
证明 Nginx 安装成功。
$ sudo mkdir ca
$ cd ca
$ sudo mkdir newcerts private conf server
newcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件。
2.1.1 conf 目录新建 openssl.conf 文件编辑其内容如下:
[ ca ] default_ca = foo # The default ca section [ foo ] dir = /usr/local/nginx/ca # top dir database = /usr/local/nginx/ca/index.txt # index file. new_certs_dir = /usr/local/nginx/ca/newcerts # new certs dir certificate = /usr/local/nginx/ca/private/ca.crt # The CA cert serial = /usr/local/nginx/ca/serial # serial no file private_key = /usr/local/nginx/ca/private/ca.key # CA private key RANDFILE = /usr/local/nginx/ca/private/.rand # random number file default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL default_md = md5 # message digest method to use unique_subject = no # Set to \'no\' to allow creation of # several ctificates with same subject. policy = policy_any # default policy [ policy_any ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match localityName = optional commonName = supplied emailAddress = optional
2.1.2 生成私钥 key 文件 $ cd /usr/local/nginx/ca
$ sudo openssl genrsa -out private/ca.key
输出
Generating RSA private key, 512 bit long modulus
..++++++++++++
.++++++++++++
e is 65537 (0x10001)
private 目录下有 ca.key 文件生成。
博主 20150520 加注:openssl 默认生成 512 位的。一般是用 2048 位的。
2.1.3 生成证书请求 csr 文件 $ sudo openssl req -new -key private/ca.key -out private/ca.csr提示输入 Country Name,输入 CN 并回车后:
提示输入 State or Province Name (full name),输入 Shanghai 并回车后:
提示输入 Locality Name,输入 Shanghai 并回车后:
提示输入 Organization Name,输入 Defonds 并回车后:
提示输入 Organizational Unit Name,输入 Dev 并回车后:
提示输入 Common Name,如果没有域名的话,输入 localhost 并回车后:
提示输入 Email Address,输入 defonds@163.com 并回车后: