nginx配置https

nginx配置https自建证书

最近需要给内部服务添加https支持，首先考虑使用自建的证书来实现https的配置

生成自建证书

# 创建文件夹存放证书文件
mkdir /etc/nginx/ssl
# 创建key和crt文件
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt

# 执行上面命令会提示输入以下内容
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]: test
Organizational Unit Name (eg, section) []: devops
Common Name (e.g. server FQDN or YOUR name) []:www.example.com
Email Address []:xxx@xxx.com

证书创建输入内容讲解

Country Name (2 letter code) [AU]: 国家，这里CN代表中国
State or Province Name (full name) [Some-State]:省份
Locality Name (eg, city) []:城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]: 组织名
Organizational Unit Name (eg, section) []: 部门名
Common Name (e.g. server FQDN or YOUR name) []:需要配置https的网址
Email Address []:邮箱

配置示例

将配置文件保存在 /etc/nginx/conf.d/www.example.com.conf下

server {

    listen       443;

    server_name  www.example.com;

    ssl on;

    ssl_certificate      /etc/nginx/ssl/nginx.crt;

    ssl_certificate_key  /etc/nginx/ssl/nginx.key;

    ssl_session_timeout  5m;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
    ssl_ciphers  ALL：!ADH：!EXPORT56：RC4+RSA：+HIGH：+MEDIUM：+LOW：+SSLv2：+EXP;

    ssl_prefer_server_ciphers   on;    

    location / {
        return 404;
    }

}

重启nginx

nginx -t
nginx -s reload

参考：

1. https://segmentfault.com/a/1190000004976222

2. https://pay.weixin.qq.com/wiki/doc/api/wxa/wxa_api.php?chapter=10_4

3. https://juejin.im/post/5c0144036fb9a04a102f046a