赞
踩
nginx开启https前提:
--with-http_ssl_module --with-stream --with-stream_ssl_preread_module
模块openssl version
mkdir /usr/local/ssl
cd /usr/local/ssl
# 解压
tar -xf openssl-3.0.1.tar.gz
# 设置SSL库文件路径
./config --prefix=/usr/local/ssl/
make
make install
vi /etc/ld.so.conf
# 最后一行添加/usr/local/ssl/ 路径
sudo ldconfig
常见报错:openssl: error while loading shared libraries: libssl.so.10: cannot open shared object file: No such file or directory
系统版本和openssl版本不一致,具体哪里的日志记录需要的版本忘记了
# 第一步:生成私钥
mkdir /etc/ssl/certs/www.abc.com
cd /etc/ssl/certs/www.abc.com
openssl genrsa -des3 -out server.key 2048
# 输入一个4位以上的密码
# 确认密码
#第二步:生成CSR(证书签名请求)
openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=JiLin/L=ChangChun/O=gsafety/OU=gsafety/CN=www.abc.com"
#第三步:去除私钥中的密码
#在第1步创建私钥的过程中,由于必须要指定一个密码。而这个密码会带来一个副作用,那就是在每次启动Web服务器时,都会要求输入密码
#这显然非常不方便。要删除私钥中的密码,操作如下:
openssl rsa -in server.key -out server.key
#第四步:生成自签名SSL证书
# -days 证书有效期-天
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
nginx -V
可以参考我之前的博客 Nginx 平滑升级
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-pcre --with-http_gzip_static_module --with-stream --with-stream_ssl_preread_module
生成nginx二进制执行文件到当前目录 /objs
make
替换
mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
cp /usr/local/nginx-1.13.3/objs/nginx /usr/local/nginx/sbin/
验证
[root@web nginx-1.21.5]# make upgrade
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
kill -USR2 `cat /usr/local/nginx/logs/nginx.pid`
sleep 1
test -f /usr/local/nginx/logs/nginx.pid.oldbin
kill -QUIT `cat /usr/local/nginx/logs/nginx.pid.oldbin`
升级
#验证模块是否加载成功
nginx -V
下面是一段双协议支持的配置代码
请允许我抄袭一下小左同学的代码
stream {
upstream http_protocol {
# 8991端口是一个开启http的端口
server 127.0.0.1:8991;
}
upstream https_protocol {
# 10002端口是一个开启https的端口
server 127.0.0.1:10002;
}
# 根据不同的协议走不同的upstream
map $ssl_preread_protocol $upstream {
default http_protocol;
"TLSv1.0" https_protocol;
"TLSv1.1" https_protocol;
"TLSv1.2" https_protocol;
"TLSv1.3" https_protocol;
}
server {
listen 8990;
ssl_preread on;
proxy_pass $upstream;
}
}
server {
listen 10002 ssl;
server_name www.gsafety.com;
ssl_certificate /etc/ssl/certs/www.abc.com/server.crt;
ssl_certificate_key /etc/ssl/certs/www.abc.com/server.key;
#减少点击劫持
#add_header X-Frame-Options DENY;
add_header X-Frame-Options AllowAll;
#禁止服务器自动解析资源类型
add_header X-Content-Type-Options nosniff;
#防XSS攻击
add_header X-Xss-Protection 1;
#优先采取服务器算法
ssl_prefer_server_ciphers on;
#协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://127.0.0.1:8991/;
}
}
openssl: error while loading shared libraries: libssl.so.10: cannot open shared object file: No such file or directory
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。