TA的每日心情 | 奋斗 2019-10-18 11:20 |
---|
签到天数: 678 天 [LV.9]以坛为家II
|
1.使用openssl生成SSL数字安全证书
yum -y install openssl openssl-devel
openssl genrsa -out privkey.pem 2048
openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
...........................++++++
....................................++++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be
incorporated into your certificate request.
What you are about to enter is what is called a
Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:chengdu
Locality Name (eg, city) []:chengdu
Organization Name (eg, company) [Internet Widgits Ltd]:cnblackhat
Organizational Unit Name (eg, section) []:cnblackhat
Common Name (eg, YOUR name) []:www.cnblackhat.com
Email Address []:root@cnblackhat.com
Country Name (2 letter code) 使用国际标准组织(ISO)国码格式,填写2个字母的国家代号.中国请填写CN
State or Province Name (full name) 省份,比如填写chengdu
Locality Name (eg, city) 城市,比如填写chengdu
Organization Name (eg, company) 组织单位,比如填写公司名称的拼音
Organizational Unit Name (eg, section) 比如填写cnblackhat
Common Name (eg, your websites domain name) 行使SSL加密的网站地址.请注意这里并不是单指您的域名,而是直接使用SSL的网站名称,一个网站这里定义是:cnblackhat.com是一个网站,www.cnblackhat.com是另外一个网站,bbs.cnblackhat.com又是另外一个网站.
Email Address 邮件地址
2.确认nginx支持OpenSSL模块
--with-http_stub_status_module --with-http_ssl_module
nginx有这2个就可以了,如果没有,就自己重新编译加上吧.
3.修改nginx配置
server {
listen 80;
server_name www.cnblackhat.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/cacert.pem;
ssl_certificate_key /etc/nginx/privkey.pem;
server_name www.cnblackhat.com;
root /var/www/vhosts/wwwroot;
index index.php index.html index.htm;
这里是把80端口跳转到443端口,强制这个网站使用ssl加密.
4.重启nginx并验证
service nginx reload
在浏览器里输入http://www.cnblackhat.com会自己跳转到https://www.cnblackhat.com.好了,这样证书是不被信任的,内网使用还可以.
如果要说StartSSL是免费的,但这个只能免费一年,所以意义不是很大.
|
|