RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)
以RedHat7(64bit)平台为例
如果RedHat源没法用,可以使用EPEL源
- # rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
- # yum makecache
- # yum install gcc --enablerepo=epel (指定使用epel源)
IP信息清单:
Nginx_Master: 192.168.136.201 提供负载均衡
Nginx_BackUp: 192.168.136.202 负载均衡备机
Nginx_VIP: 192.168.136.200 网站的 VIP 地址(虚拟 IP)
1.安装Keepalived(Nginx主从双机热备)
- 安装依赖库
# yum install -y wget gcc openssl-devel popt-devel - 下载解压Keepalived
# cd /usr/local/src
# wget http://www.keepalived.org/software/keepalived-1.2.19.tar.gz
# tar -zxvf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19 - 编译安装Keepalived
# ./configure --sysconf=/etc
# make && make install
# ln -s /usr/local/sbin/keepalived /usr/sbin/keepalived - 修改配置文件
# vi /etc/keepalived/keepalived.conf
主Nginx server上的keepalived.conf文件- ! Configuration File for keepalived
- global_defs {
- notification_email {
- admin@example.com
- }
- notification_email_from admin@example.com
- smtp_server 127.0.0.1
- smtp_connect_timeout 30
- router_id LVS_DEVEL
- }
- vrrp_script check_run {
- script "/usr/local/bin/check_nginx.sh"
- interval 2
weight 2 - }
- vrrp_instance VI_1 {
- state MASTER
- interface eno16777728
- virtual_router_id 51
- priority 100
- advert_int 1
- authentication {
- auth_type PASS
- auth_pass 1111
- }
- track_script {
- check_run
- }
- virtual_ipaddress {
- 192.168.136.200
- }
- }
备Nginx server上的keepalived.conf文件
- ! Configuration File for keepalived
- global_defs {
- notification_email {
- admin@example.com
- }
- notification_email_from admin@example.com
- smtp_server 127.0.0.1
- smtp_connect_timeout 30
- router_id LVS_DEVEL
- }
- vrrp_script check_run {
- script "/usr/local/bin/check_nginx.sh"
- interval 5
- }
- vrrp_instance VI_1 {
- state BACKUP
- interface eno16777728
- virtual_router_id 51
- priority 99
- advert_int 1
- authentication {
- auth_type PASS
- auth_pass 1111
- }
- track_script {
- check_run
- }
- virtual_ipaddress {
- 192.168.136.200
- }
- }
# vi /usr/local/bin/check_nginx.sh
# chmod +x /usr/local/bin/check_nginx.sh- #!/bin/bash
- if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
- then
- service nginx start
- sleep 5
- if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
- then
- service keepalived stop
- fi
- fi
- 设置Keepalived服务开机自启动并启动服务
# chkconfig keepalived on
# service keepalived start
2.安装Nginx代理服务器安步骤
- 安装jemalloc(更好的内存管理)
- # yum -y install bzip2
# cd /usr/local/src - # wget http://www.canonware.com/download/jemalloc/jemalloc-4.0.4.tar.bz2
- # tar -jxvf jemalloc-4.0..tar.bz2 && cd jemalloc-4.0.
- # ./configure
- # make && make install
- # echo '/usr/local/lib' > /etc/ld.so.conf.d/local.conf
- # ldconfig
- # yum -y install bzip2
- lua-nginx-module模块(Nginx支持lua语法的模块)
lua-nginx-module来自大牛agentzh的开源项目,在Nginx中嵌入Lua语言,使之可以支持强大Lua语法
- . 下载LuaJIT2.0并安装
- # cd /usr/local/src
- # wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
- # tar -zxvf LuaJIT-2.0..tar.gz && cd LuaJIT-2.0.
- # make && make install
# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.2
- 2. 导入环境变量
- # export LUAJIT_LIB=/usr/local/lib
- # export LUAJIT_INC=/usr/local/include/luajit-2.0
- 3. 下载并解压ngx_devel_kit和lua-nginx-module
# cd /usr/local/src
# curl -L https://codeload.github.com/simpl/ngx_devel_kit/tar.gz/v0.2.19 -o ngx_devel_kit-0.2.19.tar.gz
# tar -zxvf ngx_devel_kit-0.2..tar.gz - # curl -L https://codeload.github.com/openresty/lua-nginx-module/tar.gz/v0.9.20rc2 -o lua-nginx-module-0.9.20rc2.tar.gz
# tar -zxvf lua-nginx-module-0.9.20rc2.tar.gz
- . 下载LuaJIT2.0并安装
- ngx_cache_purge模块(Nginx清除缓存的模块)
- # cd /usr/local/src
- # wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
- # tar -zxvf ngx_cache_purge-2.3.tar.gz
- # cd /usr/local/src
- 安装Nginx
- # yum -y install pcre-devel openssl-devel zlib-devel
# wget http://nginx.org/download/nginx-1.9.9.tar.gz - # tar -zxvf nginx-1.9..tar.gz && cd nginx-1.9.
- # ./configure \
- --sbin-path=/usr/local/nginx/nginx \--pid-path=/var/run/nginx.pid \
- --user=nginx \
- --group=nginx \
--http-client-body-temp-path=/usr/local/nginx/cache/client_body_temp \
--http-proxy-temp-path=/usr/local/nginx/cache/proxy_temp \
--http-fastcgi-temp-path=/usr/local/nginx/cache/fastcgi_temp \
--http-uwsgi-temp-path=/usr/local/nginx/cache/uwsgi_temp \
--http-scgi-temp-path=/usr/local/nginx/cache/scgi_temp \ - --with-http_ssl_module \
- --with-http_stub_status_module \
- --with-threads \
- --with-stream \
- --with-stream_ssl_module \
- --with-ipv6 \
- --with-http_v2_module \
- --add-module=../ngx_cache_purge-2.3 \
- --add-module=../lua-nginx-module-0.9.20rc2 \
- --add-module=../ngx_devel_kit-0.2. \
- --with-ld-opt='-ljemalloc' \
- --with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
# make -j2 && make install
# mkdir /usr/local/nginx/cache
# ln -s /usr/local/nginx/nginx /usr/sbin/nginx (创建nginx可执行程序软链接)
使用以下命令确认Nginx的SNI支持是否开启了:
#nginx -V
- # yum -y install pcre-devel openssl-devel zlib-devel
- 创建Nginx启动脚本
# vi /etc/init.d/nginx- #!/bin/sh
- #
- # nginx - this script starts and stops the nginx daemon
- #
- # chkconfig: -
- # description: NGINX is an HTTP(S) server, HTTP(S) reverse \
- # proxy and IMAP/POP3 proxy server
- # processname: nginx
- # config: /etc/nginx/nginx.conf
- # config: /etc/sysconfig/nginx
- # pidfile: /var/run/nginx.pid
- # Source function library.
- . /etc/rc.d/init.d/functions
- # Source networking configuration.
- . /etc/sysconfig/network
- # Check that networking is up.
- [ "$NETWORKING" = "no" ] && exit
- nginx="/usr/local/nginx/nginx"
- prog=$(basename $nginx)
- NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf"
- [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx
- lockfile=/var/lock/subsys/nginx
- make_dirs() {
- # make required directories
- user=`$nginx -V >& | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
- if [ -z "`grep $user /etc/passwd`" ]; then
- useradd -r -M -s /sbin/nologin $user
- fi
- options=`$nginx -V >& | grep 'configure arguments:'`
- for opt in $options; do
- if [ `echo $opt | grep '.*-temp-path'` ]; then
- value=`echo $opt | cut -d "=" -f `
- if [ ! -d "$value" ]; then
- # echo "creating" $value
- mkdir -p $value && chown -R $user $value
- fi
- fi
- done
- }
- start() {
- [ -x $nginx ] || exit
- [ -f $NGINX_CONF_FILE ] || exit
- make_dirs
- echo -n $"Starting $prog: "
- daemon $nginx -c $NGINX_CONF_FILE
- retval=$?
- echo
- [ $retval -eq ] && touch $lockfile
- return $retval
- }
- stop() {
- echo -n $"Stopping $prog: "
- killproc $prog -QUIT
- retval=$?
- echo
- [ $retval -eq ] && rm -f $lockfile
- return $retval
- }
- restart() {
- configtest || return $?
- stop
- sleep
- start
- }
- reload() {
- configtest || return $?
- echo -n $"Reloading $prog: "
- killproc $nginx -HUP
- RETVAL=$?
- echo
- }
- force_reload() {
- restart
- }
- configtest() {
- $nginx -t -c $NGINX_CONF_FILE
- }
- rh_status() {
- status $prog
- }
- rh_status_q() {
- rh_status >/dev/null >&
- }
- case "$1" in
- start)
- rh_status_q && exit
- $
- ;;
- stop)
- rh_status_q || exit
- $
- ;;
- restart|configtest)
- $
- ;;
- reload)
- rh_status_q || exit
- $
- ;;
- force-reload)
- force_reload
- ;;
- status)
- rh_status
- ;;
- condrestart|try-restart)
- rh_status_q || exit
- ;;
- *)
- echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
- exit
- esac
- #!/bin/sh
- 设置Nginx服务开机自启动并启动服务
- # chmod +x /etc/init.d/nginx
- # chkconfig nginx on
# service nginx start
- # chmod +x /etc/init.d/nginx
- 开通http,https防火墙端口
- # firewall-cmd --permanent --add-service={http,https}
- # firewall-cmd --reload
- # firewall-cmd --permanent --add-service={http,https}
- 在浏览器中测试Nginx
2.生成SSL证书步骤
- 创建证书存放目录并切换到该目录
# mkdir -p /usr/local/nginx/conf/ssl && cd /usr/local/nginx/conf/ssl
使用openssl生成服务器证书
假设我们有两个站点linux.example.com,windows.example.com
Domain UpStream Servers System
-------------------------- ---------------------------- ---------------------------------------------------------------- -------------------
linux.example.com linux.example.com 192.168.136.101,192.168.136.102,192.168.136.103 Linux
windows.example.com windows.example.com 192.168.136.104,192.168.136.105 Windows
以linux.example.com为例,生成服务器证书
- 生成服务器端的私钥(key文件)
# openssl genrsa -des3 -out linux.example.com.key 1024- Generating RSA private key, bit long modulus
- ...........++++++
- .....................++++++
- e is (0x10001)
- Enter pass phrase for linux.example.com.key: <口令>
Verifying - Enter pass phrase for linux.example.com.key: <确认口令>
- Generating RSA private key, bit long modulus
- 创建证书签名请求Certificate Signing Request (CSR)
# SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=linux.example.com"
# openssl req -new -subj $SUBJECT -key linux.example.com.key -out linux.example.com.csr- Enter pass phrase for secure1.example.com.key: <确认口令>
- 清除重启Nginx服务时提示必须输入密钥
# mv linux.example.com.key linux.example.com.origin.key
# openssl rsa -in linux.example.com.origin.key -out linux.example.com.key - 使用刚生成的私钥和CSR创建自签名的CA证书
# openssl x509 -req -days 3650 -in linux.example.com.csr -signkey linux.example.com.key -out linux.example.com.crt - 重复上面操作,生成windows.example.com证书
创建Nginx配置文件
- 创建upstream配置文件
# mkdir /usr/local/nginx/conf/upstreams && cd /usr/local/nginx/conf/upstreams
# vi linux.example.com.conf- upstream linux.example.com {
- ip_hash;
- server 192.168.136.101:;
- server 192.168.136.102:;
- server 192.168.136.103:;
- }
# vi windows.example.com.conf
- upstream windows.example.com {
- ip_hash;
- server 192.168.136.104:;
- server 192.168.136.105:;
- }
- upstream linux.example.com {
- 安装nginx_ensite工具
# cd /usr/local/src
# yum -y install git
# git clone https://github.com/perusio/nginx_ensite.git && cd nginx_ensite
# make install
修改nginx_ensite脚本
# vi /usr/local/bin/nginx_ensite- #!/bin/bash
- ### nginx_ensite --- Bash script to enable or disable a site in nginx.
- ### Copyright (C) , António P. P. Almeida <appa@perusio.net>
- ### Author: António P. P. Almeida <appa@perusio.net>
- ### Permission is hereby granted, free of charge, to any person obtaining a
- ### copy of this software and associated documentation files (the "Software"),
- ### to deal in the Software without restriction, including without limitation
- ### the rights to use, copy, modify, merge, publish, distribute, sublicense,
- ### and/or sell copies of the Software, and to permit persons to whom the
- ### Software is furnished to do so, subject to the following conditions:
- ### The above copyright notice and this permission notice shall be included in
- ### all copies or substantial portions of the Software.
- ### Except as contained in this notice, the name(s) of the above copyright
- ### holders shall not be used in advertising or otherwise to promote the sale,
- ### use or other dealings in this Software without prior written authorization.
- ### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- ### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- ### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
- ### THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- ### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
- ### FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
- ### DEALINGS IN THE SOFTWARE.
- SCRIPTNAME=${##*/}
- ## The nginx binary. Check if we're root or not. If we are get the
- ## path to nginx. If not hardcode the path.
- if [ $(id -u) -eq ]; then
- IS_ROOT=
- NGINX=$(command -v nginx) || exit
- else
- STATUS=
- NGINX=/usr/sbin/nginx
- fi
- ## Default value for the configuration directory.
- NGINX_CONF_DIR=/usr/local/nginx/conffunction print_usage() {
- echo "$SCRIPTNAME [-c <nginx configuration base directory> default: /usr/local/nginx/conf] [ -s <startup program name> default: nginx] <site name>"
- }
- ## Extract the startup program name from a given argument. If it's a
- ## path to nginx then add the '-s reload' to the name. Otherwise just
- ## return the given argument.
- ## $: the program name.
- ## Returns the proper startup program name,
- function get_startup_program_name() {
- local value="$1"
- [[ $ =~ [[:alnum:]/-]*nginx$ ]] && value="$1 -s reload"
- echo "$value"
- }
- ## The default start up program is nginx.
- STARTUP_PROGRAM_NAME=$(get_startup_program_name nginx)
- ## Create the relative path to the vhost file.
- ## $: configuration file name (usually the vhost)
- ## $: available sites directory name (usually sites-available)
- ## Returns the relative path from the sites-enabled directory.
- function make_relative_path() {
- printf '../%.0s%s/%s' $(eval echo {..$(expr length "${1//[^\/]/}")}) $ $
- }
- ## Checking the type of action we will perform. Enabling or disabling.
- ACTION=$(echo $SCRIPTNAME | awk '$0 ~ /dissite/ {print "DISABLE"} $0 ~ /ensite/ {print "ENABLE"} $0 !~ /(dis|en)site/ {print "UNKNOWN"}')
- if [ "$ACTION" == "UNKNOWN" ]; then
- echo "$SCRIPTNAME: Unknown action!" >&
- print_usage
- exit
- fi
- ## Check the number of arguments.
- if [ $# -lt -o $# -gt ]; then
- print_usage >&
- exit
- fi
- ## Parse the getops arguments.
- while getopts c:s: OPT; do
- case $OPT in
- c|+c)
- NGINX_CONF_DIR=$(realpath "$OPTARG")
- if [[ ! -d $NGINX_CONF_DIR ]]; then
- echo "$NGINX_CONF_DIR directory not found." >&
- exit
- fi
- ;;
- s|+s)
- STARTUP_PROGRAM_NAME=$(get_startup_program_name "$OPTARG")
- ;;
- *)
- print_usage >&
- exit
- ;;
- esac
- done
- shift $(( OPTIND - ))
- OPTIND=
- ## The paths for both nginx configuration files and the sites
- ## configuration files and symbolic link destinations.
- AVAILABLE_SITES_PATH="$NGINX_CONF_DIR/sites-available"
- ENABLED_SITES_PATH="$NGINX_CONF_DIR/sites-enabled"
- ## Check the number of arguments.
- if [ $# -ne ]; then
- print_usage >&
- exit
- else
- SITE_AVAILABLE=$(make_relative_path "$1" ${AVAILABLE_SITES_PATH##*/})
- ## If enabling the 'default' site then make sure that it's the
- ## first to be loaded.
- if [ "$1" == "default" ]; then
- SITE_ENABLED="$ENABLED_SITES_PATH/default"
- else
- SITE_ENABLED="$ENABLED_SITES_PATH/$1"
- fi
- ## Check if the directory where we will place the symlink
- ## exists. If not create it.
- [ -d ${SITE_ENABLED%/*} ] || mkdir -p ${SITE_ENABLED%/*}
- fi
- ## Check that the file corresponding to site exists if enabling or
- ## that the symbolic link exists if disabling. Perform the desired
- ## action if possible. If not signal an error and exit.
- case $ACTION in
- ENABLE)
- # Change to the directory where we will place the symlink so that we
- # see the relative path correctly.
- cd "${SITE_ENABLED%/*}";
- if [ -r $SITE_AVAILABLE ]; then
- ## Test for a well formed configuration only when we are
- ## root.
- if [ -n "$IS_ROOT" ]; then
- echo "Testing nginx configuration..."
- $NGINX -t && STATUS=0
- fi
- ## Check the config testing status and if the link exists already.
- if [ $STATUS ] && [ -h $SITE_ENABLED ]; then
- ## If already enabled say it and exit.
- echo "$1 is already enabled."
- exit 0
- else # Symlink if not yet enabled.
- ln -s $SITE_AVAILABLE $SITE_ENABLED
- fi
- if [ $STATUS ]; then
- echo -n "Site $1 has been enabled."
- printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME"
- exit 0
- else
- exit 5
- fi
- else
- echo "Site configuration file $1 not found." >&2
- exit 6
- fi
- ;;
- DISABLE)
- if [ "$1" = "default" ] ; then
- if [ -h "$ENABLED_SITES_PATH/default" ] ; then
- SITE_ENABLED="$ENABLED_SITES_PATH/default"
- fi
- fi
- if [ -h $SITE_ENABLED ]; then
- rm $SITE_ENABLED
- echo -n "Site $1 has been disabled."
- printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME"
- exit 0
- else
- echo "Site $1 doesn't exist." >&2
- exit 7
- fi
- ;;
- esac
- 创建sites-available目录并进入
# mkdir /usr/local/nginx/conf/sites-available && cd /usr/local/nginx/conf/sites-available - 创建站点配置文件
# vi no-default- # Drop requests for unknown hosts
- #
- # If no default server is defined, nginx will use the first found server.
- # To prevent host header attacks, or other potential problems when an unknown
- # servername is used in a request, it's recommended to drop the request
- # returning "no response".
- server {
- listen default_server;
- return ;
- }
# vi linux.example.com
- server {
- listen [::]:;
- listen ;
- server_name linux.example.com;
- return https://$host$request_uri;
- }
- server {
- listen [::]: ssl http2;
- listen ssl http2;
- server_name linux.example.com;
- access_log logs/linux.example.com.access.log main;
- error_log logs/linux.example.com.error.log error;
- location / {
- proxy_pass http://linux.example.com;
- }
- include ssl.conf;
- ssl_certificate ssl/linux.example.com.crt;
- ssl_certificate_key ssl/linux.example.com.key;
- }
# vi windows.example.com
- server {
- listen [::]:;
- listen ;
- server_name windows.example.com;
- return https://$host$request_uri;
- }
- server {
- listen [::]: ssl http2;
- listen ssl http2;
- server_name windows.example.com;
- access_log logs/windows.example.com.access.log main;
- error_log logs/windows.example.com.error.log error;
- location / {
- proxy_pass http://windows.example.com;
- }
- include ssl.conf;
- ssl_certificate ssl/windows.example.com.crt;
- ssl_certificate_key ssl/windows.example.com.key;
- }
- # Drop requests for unknown hosts
- 启用站点和禁用站点的方法
# nginx_ensite linux.example.com (启用站点)
# nginx_dissite linux.example.com (禁用站点) - 创建zone.conf配置文件
# vi /usr/local/nginx/conf/zone.conf- #1mb zone holds approx 16k sessions
- #Connections per IP
- limit_conn_zone $binary_remote_addr zone=conPerIp:5m;
- # Fastcgi cache zones below
- # At some point you'd probably want to change these paths to their own
- # directory, for example to /var/cache/nginx/
fastcgi_cache_path /usr/local/nginx/cache/fastcgi_cache levels=: keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; - limit_req_zone $binary_remote_addr zone=reqPerSec1:1m rate=1r/s;
- limit_req_zone $binary_remote_addr zone=reqPerSec10:1m rate=10r/s;
- limit_req_zone $binary_remote_addr zone=reqPerSec20:1m rate=20r/s;
- #1mb zone holds approx 16k sessions
- 创建proxy.conf配置文件
# vi /usr/local/nginx/conf/proxy.conf- proxy_redirect off;
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_connect_timeout 30;
- proxy_send_timeout 30;
- proxy_read_timeout 60;
- proxy_buffer_size 256k;
- proxy_buffers 4 256k;
- proxy_busy_buffers_size 256k;
- proxy_temp_file_write_size 256k;
- proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
- proxy_max_temp_file_size 128m;
- proxy_redirect off;
- 创建ssl.conf配置文件
# vi /usr/local/nginx/conf/ssl.conf- add_header Strict-Transport-Security 'max-age=604800';
- ssl_session_cache shared:SSL:10m;
- ssl_session_timeout 10m;
- ssl_prefer_server_ciphers on;
- ssl_protocols TLSv1 TLSv1. TLSv1.;
- # Maximum secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, IE8/XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y
- ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
- # Less secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, Java 6u45
- #ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
- 创建gzip.conf配置文件
# vi /usr/local/nginx/conf/gzip.conf- gzip on;
- gzip_http_version 1.0;
- gzip_min_length ;
- gzip_buffers 8k;
- gzip_proxied expired no-cache no-store private auth;
- gzip_disable "msie6";
- gzip_vary on;
- gzip_comp_level ;
- gzip_types
- # text/html is always compressed by HttpGzipModule
- text/css
- text/javascript
- text/xml
- text/plain
- text/x-component
- application/javascript
- application/x-javascript
- application/json
- application/xml
- application/rss+xml
- application/atom+xml
- font/truetype
- font/opentype
- application/vnd.ms-fontobject
- image/svg+xml;
- gzip on;
- 修改nginx.conf配置文件
# vi /usr/local/nginx/conf/nginx.conf- user nginx;
- worker_processes auto;
- worker_rlimit_nofile ;
- events {
- worker_connections ;
- }
- error_log logs/error.log warn;
- http {
- include mime.types;
- default_type text/html;
- server_tokens off;
- msie_padding off;
- max_ranges ;
- charset utf-;
- reset_timedout_connection on;
- keepalive_disable none;
- sendfile on;
- tcp_nopush on;
- tcp_nodelay off;
- keepalive_requests ;
- log_format main '$remote_addr $scheme://$host $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" $request_time $upstream_addr $upstream_cache_status';
- log_subrequest on;
- variables_hash_max_size ;
- map_hash_max_size ;
- server_names_hash_max_size ;
- types_hash_max_size ;
- open_file_cache max=;
- open_file_cache_errors on;
- keepalive_timeout ;
- client_header_timeout ;
- client_body_timeout ;
- send_timeout ;
- fastcgi_connect_timeout ;
- fastcgi_send_timeout ;
- include proxy.conf;
include zone.conf; - include upstreams/*.conf;
- include sites-enabled/*;
- }
生成证书的脚本:
- #!/bin/sh
- # create self-signed server certificate:
- read -p "Enter your domain [www.example.com]: " DOMAIN
- echo "Create server key..."
- openssl genrsa -des3 -out $DOMAIN.key
- echo "Create server certificate signing request..."
- SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=$DOMAIN"
- openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
- echo "Remove password..."
- mv $DOMAIN.key $DOMAIN.origin.key
- openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key
- echo "Sign SSL certificate..."
- openssl x509 -req -days -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt
- echo "TODO:"
- echo "Copy $DOMAIN.crt to /usr/local/nginx/conf/ssl/$DOMAIN.crt"
- echo "Copy $DOMAIN.key to /usr/local/nginx/conf/ssl/$DOMAIN.key"
echo "Add configuration in nginx:" - echo "server {"
- echo " ..."
- echo " listen 443 ssl;"
- echo " ssl_certificate /usr/local/nginx/conf/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /usr/local/nginx/conf/ssl/$DOMAIN.key;"
echo "}"
- user nginx;
RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)的更多相关文章
- HTTPS-SSL/TSL与SNI的关系以及同IP多域名虚拟主机的SSL/TSL认证
早期的SSLv2根据经典的公钥基础设施PKI(Public Key Infrastructure)设计,它默认认为:一台服务器(或者说一个IP)只会提供一个服务,所以在SSL握手时,服务器端可以确信客 ...
- Apache服务器在80端口配置多域名虚拟主机的方法
我们在配置一台服务器的时候,如果只运行一个站点,往往过于浪费资源.Nginx和Apache都可以通过配置虚拟主机实现多站点.配置虚拟主机的方式主要有两种,一种是多个不同端口对应的多个虚拟主机站点,一种 ...
- 高级运维(二):搭建Nginx服务器、用户认证、基于域名的虚拟主机、SSL虚拟主机、Nginx反向代理
一.搭建Nginx服务器 目标: 在IP地址为192.168.4.5的主机上安装部署Nginx服务,并可以将Nginx服务器,要求编译时启用如下功能: 1> SSL加密功能 2> 设置Ng ...
- lvs,nginx反向代理,虚拟主机
LVS NAT 拓扑 client | | LVS | | ------------------- | | | RS1 RS2 RS3 地址规划如下 机器名称 ip配置 ip配置 备注信息 LVS 1 ...
- nginx的应用【虚拟主机】
Nginx主要应用: 静态web服务器 负载均衡 静态代理虚拟主机 虚拟主机 :虚拟主机,就是把一台物理服务器划分成多个“虚拟”的服务器,这样我们的一台物理服务器就可以当做多个服务器来使用,从而可以配 ...
- nginx之全局设置,location,虚拟主机,日志管理
nginx之全局设置,location,虚拟主机,日志管理 worker_processes 1;//子进程,cpu数*核数 ****************全局设置************** ** ...
- Apache+php+mysql的安装与配置 - 之三(Apache的虚拟主机配置)
Apache+php+mysql的安装与配置 - 之三(Apache的虚拟主机配置) Apache核心(Core)配置 VirtualHost 语法 <VirtualHost addr[:por ...
- [原]生产环境下的nginx.conf配置文件(多虚拟主机)
[原]生产环境下的nginx.conf配置文件(多虚拟主机) 2013-12-27阅读110 评论0 我的生产环境下的nginx.conf配置文件,做了虚拟主机设置的,大家可以根据需求更改,下载即可在 ...
- 简单配置Nginx 指向本地端口,并开启SSL
简单配置Nginx 指向本地端口,并开启SSL,如果要开启SSL,必须使用域名去申请SSL key,一般是两个文件,一般是要收费的. # 在/etc/nginx/nginx.conf 的文件中有下面一 ...
随机推荐
- Java RMI简单例子HelloWorld
Java RMI 指的是远程方法调用 (Remote Method Invocation).它是一种机制,能够让在某个 Java 虚拟机上的对象调用另一个 Java 虚拟机中的对象上的方法.可以用此方 ...
- The APR based Apache Tomcat Native library
Tomcat启动的时候出现下面这样的提示: 2015-11-06 14:24:12 org.apache.catalina.core.AprLifecycleListener init 信息: The ...
- [wikioi]数的划分
http://wikioi.com/problem/1039/ 划分型DP.最终的思路是,F[i][j]表示i分成j份,如果分出来的有1,那么去掉1,就是F[i-1][j-1]:如果没有1,那就都减1 ...
- ANDROID_MARS学习笔记_S03_006_geocoding、HttpClient
一.简介 二.代码1.xml(1)AndroidManifest.xml <uses-permission android:name="android.permission.ACCES ...
- Android开源项目发现---ListView篇(持续更新)
资料转载地址:https://github.com/Trinea/android-open-project 1. android-pulltorefresh 一个强大的拉动刷新开源项目,支持各种控件下 ...
- redhat 6.5 使用其它Linux镜像源的yum源
最近在虚拟机里装了rhel_6.5_x86_64,发现竟然不自带g++,没办法只好 “yum install gcc-c++”,无奈失败,原因是redhat的yum是收费的... 于是打算怒装其它免费 ...
- 在Azure中使用Load Runner测试TCP最大并发连接数
对于Azure中的每一台虚机,它所能支持的TCP最大并发连接数是50万(参考微软官网: http://azure.microsoft.com/en-us/documentation/articles/ ...
- spm_预处理实验记录
参考:<SPM8 MANNUAL> Chapter 28 Auditory fMRI data
- HDU-1518 Square(DFS)
Square Time Limit : 10000/5000ms (Java/Other) Memory Limit : 65536/32768K (Java/Other) Total Submi ...
- HDU-1233 还是畅通工程 (prim 算法求最小生成树)
prim 算法求最小生成树 还是畅通工程 Time Limit: 4000/2000 MS (Java/Others) Memory Limit: 65536/32768 K (Java/Oth ...