Skip to content

Instantly share code, notes, and snippets.

@hjzheng

hjzheng/nginx.md

Last active July 31, 2019 07:19
Show Gist options
  • Save hjzheng/a72a88e8697e6fa4b8c8f4749b95df4a to your computer and use it in GitHub Desktop.
Save hjzheng/a72a88e8697e6fa4b8c8f4749b95df4a to your computer and use it in GitHub Desktop.
Download ZIP
nginx support https
Raw
nginx.md

使用生成免费证书 https://letsencrypt.org/

拥有真实域名,域名机构申请的域名

yum install python2-certbot-nginx

certbot --nginx --niginx-server-root <your_nginx_install_path> -d <your_domains>

注意: 两个参数 nginx 安装路径 和 真实域名,另外该命令会将配置写到 nginx 配置中

本地或IP访问 (注意,这个只是为了本地测试,这种证书,浏览器验证是无效的,但是不影响 https 访问)

  • 新建ssl 目录,放置我们的证书
$ cd /opt
$ sudo mkdir ssl
$ cd ssl
  • 生成server.key
openssl genrsa -des3 -out server.key 2048  
# 以上命令是基于des3算法生成的rsa私钥,在生成私钥时必须输入至少4位的密码。
  • 生成无密码的server.key
openssl rsa -in server.key -out server.key
  • 生成CA的crt
openssl req -new -x509 -key server.key -out ca.crt -days 3650 
# 命令的执行过程中依次输入国家、省份、城市、公司、部门及邮箱等信息。
  • 生成crt(已认证)
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt

nginx https 配置

... ...

server {
        listen       8088;
        server_name                 localhost;
        listen                      443 ssl;
        ssl_certificate             /opt/ssl/server.crt;
        ssl_certificate_key         /opt/ssl/server.key;
        ssl_session_cache           shared:SSL:1m;
        ssl_session_timeout         5m;
        ssl_protocols               SSLv2 SSLv3 TLSv1.2;
        ssl_ciphers                 HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;
        
        root /opt/www;

        location ~* (.+)\.html {
          add_header Cache-Control no-cache;
        }

... ...

nginx 启用 http2

  1. https://zhang.ge/4856.html nginx 平滑升级
  2. 或者添加编译参数,自己手动编译
[root@bbzhangtest objs]# nginx -V
nginx version: nginx/1.13.7
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-pcre=/usr/local/src/pcre-8.35 --with-http_v2_module

3 配置 https://www.nginx.com/blog/nginx-1-9-5/#appendix-A

http2相关 https://www.kancloud.cn/kancloud/get-to-know-http-2-in-10-minutes/96597

server {
        listen       8088;
        listen 443 ssl http2;
        ssl_certificate /opt/ssl/server.crt;
        ssl_certificate_key /opt/ssl/server.key;

        ssl_prefer_server_ciphers on;
        ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment