测试环境下,采用自生成的证书和私钥
一、生成证书和私钥
1、进入certs这个目录,在这个目录下使用make 可以直接生成证书
cd /etc/ssl/certs
2、修改Makefile文件,去掉里面生成证书自动加密
vim Makefile
%.key:
umask 77 ; \
/usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@
修改为:
%.key: umask 77 ; /usr/bin/openssl genrsa $(KEYLEN) > $@
3、生成www.test.com 的证书和私钥
[18:55:06 root@localhost certs]#make test.com.crt
umask 77 ; /usr/bin/openssl genrsa 2048 > test.com.key Generating RSA private key, 2048 bit long modulus .............................+++ ...........................................................................................................................................................................+++ e is 65537 (0x10001) umask 77 ; /usr/bin/openssl req -utf8 -new -key test.com.key -x509 -days 365 -out test.com.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:sh Organizational Unit Name (eg, section) []:sh Common Name (eg, your name or your server‘s hostname) []:www.test.com Email Address []:
4、生成www.test.org的证书和私钥文件
[18:58:06 root@localhost certs]#make test.org.crt umask 77 ; /usr/bin/openssl genrsa 2048 > test.org.key Generating RSA private key, 2048 bit long modulus ....................................................................+++ ...........................+++ e is 65537 (0x10001) umask 77 ; /usr/bin/openssl req -utf8 -new -key test.org.key -x509 -days 365 -out test.org.crt You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:sh Locality Name (eg, city) [Default City]:sh Organization Name (eg, company) [Default Company Ltd]:www.test.org Organizational Unit Name (eg, section) []:sh Common Name (eg, your name or your server‘s hostname) []:www.test.org Email Address []:
只有标红的地方重要,其他地方可以随便填
5、在存放nginx配置文件的家目录下,创建用于存放证书和私钥的文件夹
mkdir /etc/nginx/ssl/
6、将刚刚生成的私钥文件和证书移动到ssl文件夹下
mv test.* /etc/nginx/ssl/
7、将证书文件和私钥的权限设置为600
chmod 600 /etc/nginx/ssl/*
二、修改nginx配置文件
1、创建用于存放主页的文件夹
mkdir /data/test{com,org} -pv
2、生成测试页面
echo /data/testcom/index.html > /data/testcom/index.html echo /data/testorg/index.html > /data/testorg/index.html
3、使用虚拟主机,修改虚拟主机配置文件
vim /etc/nginx/conf.d/test.conf
(这里的名字叫什么无所谓,后缀是conf就行(没有这个文件就新建))
server { listen 443 ssl; listen 80; server_name www.test.com; #指定家目录所在位置 root /data/testcom/; #秘钥和证书的具体位置 ssl_certificate /etc/nginx/ssl/test.com.crt; ssl_certificate_key /etc/nginx/ssl/test.com.key; ssl_session_cache shared:sslcache:20m; #ssl会话超时时间 10分钟 ssl_session_timeout 10m; #生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的 access_log /var/log/nginx/test.com.log main; #设置当使用https访问任意目录,自动跳转到https if ( $scheme = http ) { rewrite ^/(.*)$ https://www.test.com/$1 redirect; } } #另外一个主机 server { listen 443 ssl; listen 80; server_name www.test.org; #指定家目录所在位置 root /data/testorg/; #秘钥和证书的具体位置 ssl_certificate /etc/nginx/ssl/test.org.crt; ssl_certificate_key /etc/nginx/ssl/test.org.key; ssl_session_cache shared:sslcache:20m; #ssl会话超时时间 10分钟 ssl_session_timeout 10m; #生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的 access_log /var/log/nginx/test.org.log main; #设置当使用https访问任意目录,自动跳转到https if ( $scheme = http ) { rewrite ^/(.*)$ https://www.test.org/$1 redirect; } }
4、检查语法是否有错误
[19:32:47 root@localhost data]#nginx -t
5、返回如下则正常
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
6、启动服务
nginx
三、测试访问
1、修改测试的主机的hosts文件
Windows:
C:\Windows\System32\drivers\etc\hosts
Linux:
vim /etc/hosts
都是在最后一行添加IP地址和对应的主机头
192.168.1.4 www.test.com www.test.org
由于目前的域名都是解析不了的,所以测试环境下,可以直接修改hosts文件
2、curl 浏览器测试访问 www.test.com
19:39:19 root@localhost certs]#curl www.test.com -Lk /data/testcom/index.html
-L跟踪重定向,默认只显示301页面,不继续往后跳转,k忽略证书检查
3、curl 浏览器访问www.test.org
curl www.test.org -Lk
/data/testorg/index.html
原文:https://www.cnblogs.com/alexlv/p/14850921.html