如何在CentOS上配置NGINX使用自签名ssl证书以及编译使用http2模块

Contents

1 0 背景说明
2 1 创建对应的路径
3 2 生成ssl证书
4 3 修改NGINX配置
5 4 重新加载NGINX
6 5 验证访问
7 6 参考链接

0 背景说明

本文档用于记录如何给工信大数据平台演示环境http://10.0.9.78:8011 配置自签名证书，使得系统执行https加密协议访问：https://10.0.9.78:8011 。

之前，安装和配置的NGINX没有使用HTTPS加密协议。现在，系统需要通过使用HTTPS协议来访问。

1 创建对应的路径

mkdir /etc/ssl/private
chmod 700 /etc/ssl/private/

[root@iisdemo ~]# mkdir /etc/ssl/private
[root@iisdemo ~]# chmod 700 /etc/ssl/private/
[root@iisdemo ~]# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

2 生成ssl证书

sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt


[root@iisdemo ~]# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
Generating a RSA private key
....................+++++
..........................................................................................+++++
writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:fujian
Locality Name (eg, city) [Default City]:xiamen
Organization Name (eg, company) [Default Company Ltd]:xmsme
Organizational Unit Name (eg, section) []:bigdata   
Common Name (eg, your name or your server's hostname) []:10.0.9.78
Email Address []:3dian14@gmail.com
[root@iisdemo ~]#

3 修改NGINX配置

[root@iisdemo ~]# vi /etc/nginx/conf.d/gxd.conf
server{
      listen 8011 ssl http2;
      listen [::]:8011 ssl http2;
      server_name localhost;
       #server_name 10.0.9.78;

#       return 301 https://$host:8011/$request_uri;
       #添加下述配置信息：
      ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
      ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

4 重新加载NGINX

重新加载的时候，可能会发现提示报错：

[root@iisdemo nginx-1.24.0]# /etc/nginx/sbin/nginx -t
nginx: [emerg] the "http2" parameter requires ngx_http_v2_module in /etc/nginx/conf.d/gxd.conf:2
nginx: configuration file /etc/nginx/conf/nginx.conf test failed
[root@iisdemo nginx-1.24.0]#

解决办法：使用NGINX源码重新编译，并且带上–with-http_v2_modue编译选项：

[root@iisdemo nginx-1.24.0]# pwd
/root/nginx-1.24.0
[root@iisdemo nginx-1.24.0]# ll
total 816
drwxr-xr-x 6 1001 1001    326 Aug 14 15:58 auto
-rw-r--r-- 1 1001 1001 323312 Apr 11 09:45 CHANGES
-rw-r--r-- 1 1001 1001 494234 Apr 11 09:45 CHANGES.ru
drwxr-xr-x 2 1001 1001    168 Aug 14 15:58 conf
-rwxr-xr-x 1 1001 1001   2611 Apr 11 09:45 configure
drwxr-xr-x 4 1001 1001     72 Aug 14 15:58 contrib
drwxr-xr-x 2 1001 1001     40 Aug 14 15:58 html
-rw-r--r-- 1 1001 1001   1397 Apr 11 09:45 LICENSE
-rw-r--r-- 1 root root    414 Sep 28 16:22 Makefile
drwxr-xr-x 2 1001 1001     21 Aug 14 15:58 man
drwxr-xr-x 3 root root    174 Sep 28 16:23 objs
-rw-r--r-- 1 1001 1001     49 Apr 11 09:45 README
drwxr-xr-x 9 1001 1001     91 Aug 14 15:58 src
[root@iisdemo nginx-1.24.0]# ./configure --prefix=/etc/nginx --with-http_ssl_module --with-http_v2_module
...
nginx http scgi temporary files: "scgi_temp"

[root@iisdemo nginx-1.24.0]#

然后，执行make && make install，其中make是编译出可以执行的程序，make install是将编译出的可执行程序安装到目标路径下。

当然，稳妥起见的话，应该是备份/etc/nginx/sbin/nginx这个可执行文件，然后单独执行make命令，编译出新的带有–with-http_v2_modue模块儿的可执行的nginx程序，然后把这个新的nginx可程序拷贝到/etc/nginx/sbin路径下。

[root@iisdemo nginx-1.24.0]# mv /etc/nginx/sbin/nginx /etc/nginx/sbin/nginx.bak
[root@iisdemo nginx-1.24.0]# make
...
make[1]: Leaving directory '/root/nginx-1.24.0'
[root@iisdemo nginx-1.24.0]# find ./ -name nginx
./objs/nginx
[root@iisdemo nginx-1.24.0]# ll ./objs/nginx
-rwxr-xr-x 1 root root 6541688 Sep 28 16:41 ./objs/nginx
[root@iisdemo nginx-1.24.0]# file ./objs/nginx
./objs/nginx: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=a21c1d80a8c6c2a96356048a04789c3064fc9e50, with debug_info, not stripped
[root@iisdemo nginx-1.24.0]# cp ./objs/nginx /etc/nginx/sbin/nginx
[root@iisdemo nginx-1.24.0]# /etc/nginx/sbin/nginx -V
nginx version: nginx/1.24.0
built by gcc 8.3.1 20191121 (Kylin 8.3.1-5) (GCC)
built with OpenSSL 1.1.1c FIPS  28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --with-http_ssl_module --with-http_v2_module
[root@iisdemo nginx-1.24.0]#

通过执行/etc/nginx/sbin/nginx -v可以验证到新编译安装的NGINX可执行程序已经包含了http2这个module。

[root@iisdemo nginx-1.24.0]# /etc/nginx/sbin/nginx -t
nginx: the configuration file /etc/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/conf/nginx.conf test is successful
[root@iisdemo nginx-1.24.0]# /etc/nginx/sbin/nginx -s reload
[root@iisdemo nginx-1.24.0]#

5 验证访问

可以通过访问，

https://10.0.9.78:8011/login?redirect=%2Findex

来验证，NGINX已经支持HTTPS访问了。

6 参考链接

https://www.digitalocean.com/community/tutorials/how-to-create-a-self-signed-ssl-certificate-for-nginx-on-centos-7

Post Views: 1,146

0 背景说明

1 创建对应的路径

2 生成ssl证书

3 修改NGINX配置

4 重新加载NGINX

5 验证访问

6 参考链接

您可能也喜欢

Linux文件系统和磁盘I/O性能小结

如何使用parted来管理存储空间大于2TB的磁盘设备

如何手工启停PostgreSQL数据库

留言 取消回复

留言取消回复