nginx-ssl

Nginx及SSL配置

Nginx安装

编译流程

1. cd到nginx源码包下(可能在此之前要先tar -zxvf xxx)

2. 编译前配置

   ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

3. 编译

   make

   make install

编译中会遇到的依赖缺失

gcc缺失

# 报错提示
checking for OS
+ Linux 3.10.0-693.el7.x86_64 x86_64
checking for C compiler ... not found
./configure: error: C compiler cc is not found

yum install -y gcc

perl库缺失

./configure: error: the HTTP rewrite module requires the PCRE library.
You can either disable the module by using --without-http_rewrite_module
option, or install the PCRE library into the system, or build the PCRE library
statically from the source with nginx by using --with-pcre=<path> option.

yum install -y pcre pcre-devel

zlib库缺失

./configure: error: the HTTP gzip module requires the zlib library.
You can either disable the module by using --without-http_gzip_module
option, or install the zlib library into the system, or build the zlib library
statically from the source with nginx by using --with-zlib=<path> option.

yum install -y zlib zlib-devel

启动Nginx

# cd到编译后的目录下
./nginx 启动
./nginx -s stop 快速停止
./nginx -s quit 优雅关闭，在退出前完成已经接受的连接请求
./nginx -s reload 重新加载配置

注册至服务

新建 vi /usr/lib/systemd/system/nginx.service 并添加如下配置

[Unit]
Description=nginx - web server
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/nginx/logs/nginx.pid
ExecStartPre=/usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
ExecStart=/usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
ExecReload=/usr/local/nginx/sbin/nginx -s reload
ExecStop=/usr/local/nginx/sbin/nginx -s stop
ExecQuit=/usr/local/nginx/sbin/nginx -s quit
PrivateTmp=true
[Install]
WantedBy=multi-user.target

服务启动命令

重新加载服务配置

systemctl daemon-reload

启动服务

systemctl start nginx.service

开机启动

systemctl enable nginx.service

此时如果依然无法访问nginx检查防火墙配置

相关命令

systemctl stop firewalld.service
systemctl disable firewalld.service
# 放行端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
# 重启防火墙
firewall-cmd --reload
# 指定端口和ip访问
firewall-cmd --permanent --add-rich-rule="rule family="ipv4" source address="192.168.123.100" port protocol="tcp" port="8080" accept"
# 移除规则
firewall-cmd --permanent --remove-rich-rule="rule family="ipv4" source address="192.168.123.100" port port="8080" protocol="tcp" accept"

配置SSL

SSL证书申请

正常情况下会在解析中添加一条TXT记录, 如果没有则需手动添加

添加服务解析

证书下载

根据服务器类型下载, 此处使用Nginx, 后将将公私钥放到nginx的conf目录下

Nginx配置

# HTTPS server

server {
    listen       443 ssl;
    server_name  localhost
    ssl_certificate      9755530_xxxxxx.com.pem;  # 配置公钥 公钥的开头是(BEGIN CERTIFICATE)
    ssl_certificate_key  9755530_xxxxxx.com.key;  # 配置私钥 私钥的开头是(BEGIN RSA PRIVATE KEY)
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;
    location / {
        root   html;
        index  index.html index.htm;
    }
}

另外nginx再添加重定向配置, 根据自己需要, 如果不用泛解析, 添加www和@ 这一步可以不要

# 监听http
server {
	listen       80;
	#域名、主机名 匹配站点: 完整匹配、通配符匹配、通配符结束匹配、正则匹配
	server_name  www.xxxxxx.cn xxxxxx.cn;

	return 301 https://$server_name$request_uri;

}

更新nginx配置即可