RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)
以RedHat7(64bit)平台为例
如果RedHat源没法用,可以使用EPEL源
# rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
# yum makecache
# yum install gcc --enablerepo=epel (指定使用epel源)
IP信息清单:
Nginx_Master: 192.168.136.201 提供负载均衡
Nginx_BackUp: 192.168.136.202 负载均衡备机
Nginx_VIP: 192.168.136.200 网站的 VIP 地址(虚拟 IP)
1.安装Keepalived(Nginx主从双机热备)
- 安装依赖库
# yum install -y wget gcc openssl-devel popt-devel - 下载解压Keepalived
# cd /usr/local/src
# wget http://www.keepalived.org/software/keepalived-1.2.19.tar.gz
# tar -zxvf keepalived-1.2.19.tar.gz && cd keepalived-1.2.19 - 编译安装Keepalived
# ./configure --sysconf=/etc
# make && make install
# ln -s /usr/local/sbin/keepalived /usr/sbin/keepalived - 修改配置文件
# vi /etc/keepalived/keepalived.conf
主Nginx server上的keepalived.conf文件! Configuration File for keepalived global_defs {
notification_email {
admin@example.com
}
notification_email_from admin@example.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
} vrrp_script check_run {
script "/usr/local/bin/check_nginx.sh"
interval 2
weight 2
} vrrp_instance VI_1 {
state MASTER
interface eno16777728
virtual_router_id 51
priority 100
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
check_run
}
virtual_ipaddress {
192.168.136.200
}
}备Nginx server上的keepalived.conf文件
! Configuration File for keepalived global_defs {
notification_email {
admin@example.com
}
notification_email_from admin@example.com
smtp_server 127.0.0.1
smtp_connect_timeout 30
router_id LVS_DEVEL
} vrrp_script check_run {
script "/usr/local/bin/check_nginx.sh"
interval 5
} vrrp_instance VI_1 {
state BACKUP
interface eno16777728
virtual_router_id 51
priority 99
advert_int 1
authentication {
auth_type PASS
auth_pass 1111
}
track_script {
check_run
}
virtual_ipaddress {
192.168.136.200
}
}# vi /usr/local/bin/check_nginx.sh
# chmod +x /usr/local/bin/check_nginx.sh#!/bin/bash if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
then
service nginx start
sleep 5
if [ "$(ps -ef | grep "nginx: master process"| grep -v grep)" == "" ]
then
service keepalived stop
fi
fi - 设置Keepalived服务开机自启动并启动服务
# chkconfig keepalived on
# service keepalived start
2.安装Nginx代理服务器安步骤
- 安装jemalloc(更好的内存管理)
# yum -y install bzip2
# cd /usr/local/src
# wget http://www.canonware.com/download/jemalloc/jemalloc-4.0.4.tar.bz2
# tar -jxvf jemalloc-4.0..tar.bz2 && cd jemalloc-4.0.
# ./configure
# make && make install
# echo '/usr/local/lib' > /etc/ld.so.conf.d/local.conf
# ldconfig - lua-nginx-module模块(Nginx支持lua语法的模块)
lua-nginx-module来自大牛agentzh的开源项目,在Nginx中嵌入Lua语言,使之可以支持强大Lua语法
. 下载LuaJIT2.0并安装
# cd /usr/local/src
# wget http://luajit.org/download/LuaJIT-2.0.4.tar.gz
# tar -zxvf LuaJIT-2.0..tar.gz && cd LuaJIT-2.0.
# make && make install
# ln -s /usr/local/lib/libluajit-5.1.so.2 /lib64/libluajit-5.1.so.22. 导入环境变量
# export LUAJIT_LIB=/usr/local/lib
# export LUAJIT_INC=/usr/local/include/luajit-2.03. 下载并解压ngx_devel_kit和lua-nginx-module
# cd /usr/local/src
# curl -L https://codeload.github.com/simpl/ngx_devel_kit/tar.gz/v0.2.19 -o ngx_devel_kit-0.2.19.tar.gz
# tar -zxvf ngx_devel_kit-0.2..tar.gz
# curl -L https://codeload.github.com/openresty/lua-nginx-module/tar.gz/v0.9.20rc2 -o lua-nginx-module-0.9.20rc2.tar.gz
# tar -zxvf lua-nginx-module-0.9.20rc2.tar.gz - ngx_cache_purge模块(Nginx清除缓存的模块)
# cd /usr/local/src
# wget http://labs.frickle.com/files/ngx_cache_purge-2.3.tar.gz
# tar -zxvf ngx_cache_purge-2.3.tar.gz - 安装Nginx
# yum -y install pcre-devel openssl-devel zlib-devel
# wget http://nginx.org/download/nginx-1.9.9.tar.gz
# tar -zxvf nginx-1.9..tar.gz && cd nginx-1.9.
# ./configure \
--sbin-path=/usr/local/nginx/nginx \--pid-path=/var/run/nginx.pid \
--user=nginx \
--group=nginx \
--http-client-body-temp-path=/usr/local/nginx/cache/client_body_temp \
--http-proxy-temp-path=/usr/local/nginx/cache/proxy_temp \
--http-fastcgi-temp-path=/usr/local/nginx/cache/fastcgi_temp \
--http-uwsgi-temp-path=/usr/local/nginx/cache/uwsgi_temp \
--http-scgi-temp-path=/usr/local/nginx/cache/scgi_temp \
--with-http_ssl_module \
--with-http_stub_status_module \
--with-threads \
--with-stream \
--with-stream_ssl_module \
--with-ipv6 \
--with-http_v2_module \
--add-module=../ngx_cache_purge-2.3 \
--add-module=../lua-nginx-module-0.9.20rc2 \
--add-module=../ngx_devel_kit-0.2. \
--with-ld-opt='-ljemalloc' \
--with-cc-opt='-O2 -g -pipe -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'
# make -j2 && make install
# mkdir /usr/local/nginx/cache
# ln -s /usr/local/nginx/nginx /usr/sbin/nginx (创建nginx可执行程序软链接)使用以下命令确认Nginx的SNI支持是否开启了:
#nginx -V
- 创建Nginx启动脚本
# vi /etc/init.d/nginx#!/bin/sh
#
# nginx - this script starts and stops the nginx daemon
#
# chkconfig: -
# description: NGINX is an HTTP(S) server, HTTP(S) reverse \
# proxy and IMAP/POP3 proxy server
# processname: nginx
# config: /etc/nginx/nginx.conf
# config: /etc/sysconfig/nginx
# pidfile: /var/run/nginx.pid # Source function library.
. /etc/rc.d/init.d/functions # Source networking configuration.
. /etc/sysconfig/network # Check that networking is up.
[ "$NETWORKING" = "no" ] && exit nginx="/usr/local/nginx/nginx"
prog=$(basename $nginx) NGINX_CONF_FILE="/usr/local/nginx/conf/nginx.conf" [ -f /etc/sysconfig/nginx ] && . /etc/sysconfig/nginx lockfile=/var/lock/subsys/nginx make_dirs() {
# make required directories
user=`$nginx -V >& | grep "configure arguments:" | sed 's/[^*]*--user=\([^ ]*\).*/\1/g' -`
if [ -z "`grep $user /etc/passwd`" ]; then
useradd -r -M -s /sbin/nologin $user
fi
options=`$nginx -V >& | grep 'configure arguments:'`
for opt in $options; do
if [ `echo $opt | grep '.*-temp-path'` ]; then
value=`echo $opt | cut -d "=" -f `
if [ ! -d "$value" ]; then
# echo "creating" $value
mkdir -p $value && chown -R $user $value
fi
fi
done
} start() {
[ -x $nginx ] || exit
[ -f $NGINX_CONF_FILE ] || exit
make_dirs
echo -n $"Starting $prog: "
daemon $nginx -c $NGINX_CONF_FILE
retval=$?
echo
[ $retval -eq ] && touch $lockfile
return $retval
} stop() {
echo -n $"Stopping $prog: "
killproc $prog -QUIT
retval=$?
echo
[ $retval -eq ] && rm -f $lockfile
return $retval
} restart() {
configtest || return $?
stop
sleep
start
} reload() {
configtest || return $?
echo -n $"Reloading $prog: "
killproc $nginx -HUP
RETVAL=$?
echo
} force_reload() {
restart
} configtest() {
$nginx -t -c $NGINX_CONF_FILE
} rh_status() {
status $prog
} rh_status_q() {
rh_status >/dev/null >&
} case "$1" in
start)
rh_status_q && exit
$
;;
stop)
rh_status_q || exit
$
;;
restart|configtest)
$
;;
reload)
rh_status_q || exit
$
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload|configtest}"
exit
esac - 设置Nginx服务开机自启动并启动服务
# chmod +x /etc/init.d/nginx
# chkconfig nginx on
# service nginx start - 开通http,https防火墙端口
# firewall-cmd --permanent --add-service={http,https}
# firewall-cmd --reload - 在浏览器中测试Nginx
2.生成SSL证书步骤
- 创建证书存放目录并切换到该目录
# mkdir -p /usr/local/nginx/conf/ssl && cd /usr/local/nginx/conf/ssl
使用openssl生成服务器证书
假设我们有两个站点linux.example.com,windows.example.com
Domain UpStream Servers System
-------------------------- ---------------------------- ---------------------------------------------------------------- -------------------
linux.example.com linux.example.com 192.168.136.101,192.168.136.102,192.168.136.103 Linux
windows.example.com windows.example.com 192.168.136.104,192.168.136.105 Windows
以linux.example.com为例,生成服务器证书
- 生成服务器端的私钥(key文件)
# openssl genrsa -des3 -out linux.example.com.key 1024Generating RSA private key, bit long modulus
...........++++++
.....................++++++
e is (0x10001)
Enter pass phrase for linux.example.com.key: <口令>
Verifying - Enter pass phrase for linux.example.com.key: <确认口令> - 创建证书签名请求Certificate Signing Request (CSR)
# SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=linux.example.com"
# openssl req -new -subj $SUBJECT -key linux.example.com.key -out linux.example.com.csrEnter pass phrase for secure1.example.com.key: <确认口令>
- 清除重启Nginx服务时提示必须输入密钥
# mv linux.example.com.key linux.example.com.origin.key
# openssl rsa -in linux.example.com.origin.key -out linux.example.com.key - 使用刚生成的私钥和CSR创建自签名的CA证书
# openssl x509 -req -days 3650 -in linux.example.com.csr -signkey linux.example.com.key -out linux.example.com.crt - 重复上面操作,生成windows.example.com证书
创建Nginx配置文件
- 创建upstream配置文件
# mkdir /usr/local/nginx/conf/upstreams && cd /usr/local/nginx/conf/upstreams
# vi linux.example.com.confupstream linux.example.com {
ip_hash;
server 192.168.136.101:;
server 192.168.136.102:;
server 192.168.136.103:;
}# vi windows.example.com.conf
upstream windows.example.com {
ip_hash;
server 192.168.136.104:;
server 192.168.136.105:;
} - 安装nginx_ensite工具
# cd /usr/local/src
# yum -y install git
# git clone https://github.com/perusio/nginx_ensite.git && cd nginx_ensite
# make install
修改nginx_ensite脚本
# vi /usr/local/bin/nginx_ensite#!/bin/bash ### nginx_ensite --- Bash script to enable or disable a site in nginx. ### Copyright (C) , António P. P. Almeida <appa@perusio.net> ### Author: António P. P. Almeida <appa@perusio.net> ### Permission is hereby granted, free of charge, to any person obtaining a
### copy of this software and associated documentation files (the "Software"),
### to deal in the Software without restriction, including without limitation
### the rights to use, copy, modify, merge, publish, distribute, sublicense,
### and/or sell copies of the Software, and to permit persons to whom the
### Software is furnished to do so, subject to the following conditions: ### The above copyright notice and this permission notice shall be included in
### all copies or substantial portions of the Software. ### Except as contained in this notice, the name(s) of the above copyright
### holders shall not be used in advertising or otherwise to promote the sale,
### use or other dealings in this Software without prior written authorization. ### THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
### IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
### FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
### THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
### LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
### FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
### DEALINGS IN THE SOFTWARE. SCRIPTNAME=${##*/} ## The nginx binary. Check if we're root or not. If we are get the
## path to nginx. If not hardcode the path.
if [ $(id -u) -eq ]; then
IS_ROOT=
NGINX=$(command -v nginx) || exit
else
STATUS=
NGINX=/usr/sbin/nginx
fi ## Default value for the configuration directory.
NGINX_CONF_DIR=/usr/local/nginx/conffunction print_usage() {
echo "$SCRIPTNAME [-c <nginx configuration base directory> default: /usr/local/nginx/conf] [ -s <startup program name> default: nginx] <site name>"
} ## Extract the startup program name from a given argument. If it's a
## path to nginx then add the '-s reload' to the name. Otherwise just
## return the given argument.
## $: the program name.
## Returns the proper startup program name,
function get_startup_program_name() {
local value="$1" [[ $ =~ [[:alnum:]/-]*nginx$ ]] && value="$1 -s reload" echo "$value"
} ## The default start up program is nginx.
STARTUP_PROGRAM_NAME=$(get_startup_program_name nginx) ## Create the relative path to the vhost file.
## $: configuration file name (usually the vhost)
## $: available sites directory name (usually sites-available)
## Returns the relative path from the sites-enabled directory.
function make_relative_path() {
printf '../%.0s%s/%s' $(eval echo {..$(expr length "${1//[^\/]/}")}) $ $
} ## Checking the type of action we will perform. Enabling or disabling.
ACTION=$(echo $SCRIPTNAME | awk '$0 ~ /dissite/ {print "DISABLE"} $0 ~ /ensite/ {print "ENABLE"} $0 !~ /(dis|en)site/ {print "UNKNOWN"}') if [ "$ACTION" == "UNKNOWN" ]; then
echo "$SCRIPTNAME: Unknown action!" >&
print_usage
exit
fi ## Check the number of arguments.
if [ $# -lt -o $# -gt ]; then
print_usage >&
exit
fi ## Parse the getops arguments.
while getopts c:s: OPT; do
case $OPT in
c|+c)
NGINX_CONF_DIR=$(realpath "$OPTARG")
if [[ ! -d $NGINX_CONF_DIR ]]; then
echo "$NGINX_CONF_DIR directory not found." >&
exit
fi
;;
s|+s)
STARTUP_PROGRAM_NAME=$(get_startup_program_name "$OPTARG")
;;
*)
print_usage >&
exit
;;
esac
done
shift $(( OPTIND - ))
OPTIND= ## The paths for both nginx configuration files and the sites
## configuration files and symbolic link destinations.
AVAILABLE_SITES_PATH="$NGINX_CONF_DIR/sites-available"
ENABLED_SITES_PATH="$NGINX_CONF_DIR/sites-enabled" ## Check the number of arguments.
if [ $# -ne ]; then
print_usage >&
exit
else
SITE_AVAILABLE=$(make_relative_path "$1" ${AVAILABLE_SITES_PATH##*/}) ## If enabling the 'default' site then make sure that it's the
## first to be loaded.
if [ "$1" == "default" ]; then
SITE_ENABLED="$ENABLED_SITES_PATH/default"
else
SITE_ENABLED="$ENABLED_SITES_PATH/$1"
fi
## Check if the directory where we will place the symlink
## exists. If not create it.
[ -d ${SITE_ENABLED%/*} ] || mkdir -p ${SITE_ENABLED%/*}
fi ## Check that the file corresponding to site exists if enabling or
## that the symbolic link exists if disabling. Perform the desired
## action if possible. If not signal an error and exit.
case $ACTION in
ENABLE)
# Change to the directory where we will place the symlink so that we
# see the relative path correctly.
cd "${SITE_ENABLED%/*}";
if [ -r $SITE_AVAILABLE ]; then
## Test for a well formed configuration only when we are
## root.
if [ -n "$IS_ROOT" ]; then
echo "Testing nginx configuration..."
$NGINX -t && STATUS=0
fi
## Check the config testing status and if the link exists already.
if [ $STATUS ] && [ -h $SITE_ENABLED ]; then
## If already enabled say it and exit.
echo "$1 is already enabled."
exit 0
else # Symlink if not yet enabled.
ln -s $SITE_AVAILABLE $SITE_ENABLED
fi
if [ $STATUS ]; then
echo -n "Site $1 has been enabled."
printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME"
exit 0
else
exit 5
fi
else
echo "Site configuration file $1 not found." >&2
exit 6
fi
;;
DISABLE)
if [ "$1" = "default" ] ; then
if [ -h "$ENABLED_SITES_PATH/default" ] ; then
SITE_ENABLED="$ENABLED_SITES_PATH/default"
fi
fi
if [ -h $SITE_ENABLED ]; then
rm $SITE_ENABLED
echo -n "Site $1 has been disabled."
printf '\nRun "%s" to apply the changes.\n' "$STARTUP_PROGRAM_NAME"
exit 0
else
echo "Site $1 doesn't exist." >&2
exit 7
fi
;;
esac - 创建sites-available目录并进入
# mkdir /usr/local/nginx/conf/sites-available && cd /usr/local/nginx/conf/sites-available - 创建站点配置文件
# vi no-default# Drop requests for unknown hosts
#
# If no default server is defined, nginx will use the first found server.
# To prevent host header attacks, or other potential problems when an unknown
# servername is used in a request, it's recommended to drop the request
# returning "no response". server {
listen default_server;
return ;
}# vi linux.example.com
server {
listen [::]:;
listen ;
server_name linux.example.com; return https://$host$request_uri;
} server {
listen [::]: ssl http2;
listen ssl http2;
server_name linux.example.com; access_log logs/linux.example.com.access.log main;
error_log logs/linux.example.com.error.log error; location / {
proxy_pass http://linux.example.com;
} include ssl.conf; ssl_certificate ssl/linux.example.com.crt;
ssl_certificate_key ssl/linux.example.com.key;
}# vi windows.example.com
server {
listen [::]:;
listen ;
server_name windows.example.com; return https://$host$request_uri;
} server {
listen [::]: ssl http2;
listen ssl http2;
server_name windows.example.com; access_log logs/windows.example.com.access.log main;
error_log logs/windows.example.com.error.log error; location / {
proxy_pass http://windows.example.com;
} include ssl.conf; ssl_certificate ssl/windows.example.com.crt;
ssl_certificate_key ssl/windows.example.com.key;
} - 启用站点和禁用站点的方法
# nginx_ensite linux.example.com (启用站点)
# nginx_dissite linux.example.com (禁用站点) - 创建zone.conf配置文件
# vi /usr/local/nginx/conf/zone.conf#1mb zone holds approx 16k sessions
#Connections per IP
limit_conn_zone $binary_remote_addr zone=conPerIp:5m; # Fastcgi cache zones below
# At some point you'd probably want to change these paths to their own
# directory, for example to /var/cache/nginx/
fastcgi_cache_path /usr/local/nginx/cache/fastcgi_cache levels=: keys_zone=fastcgi_cache:16m max_size=256m inactive=1d; limit_req_zone $binary_remote_addr zone=reqPerSec1:1m rate=1r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec10:1m rate=10r/s;
limit_req_zone $binary_remote_addr zone=reqPerSec20:1m rate=20r/s; - 创建proxy.conf配置文件
# vi /usr/local/nginx/conf/proxy.confproxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 30;
proxy_send_timeout 30;
proxy_read_timeout 60;
proxy_buffer_size 256k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_temp_file_write_size 256k;
proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
proxy_max_temp_file_size 128m; - 创建ssl.conf配置文件
# vi /usr/local/nginx/conf/ssl.confadd_header Strict-Transport-Security 'max-age=604800'; ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1. TLSv1.; # Maximum secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, IE8/XP, Java 6u45, Java 7u25, OpenSSL 0.9.8y
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; # Less secure cipher list from https://cipherli.st/. Not support some clients: IF6/XP, Java 6u45
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; - 创建gzip.conf配置文件
# vi /usr/local/nginx/conf/gzip.confgzip on;
gzip_http_version 1.0;
gzip_min_length ;
gzip_buffers 8k;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "msie6";
gzip_vary on;
gzip_comp_level ;
gzip_types
# text/html is always compressed by HttpGzipModule
text/css
text/javascript
text/xml
text/plain
text/x-component
application/javascript
application/x-javascript
application/json
application/xml
application/rss+xml
application/atom+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml; - 修改nginx.conf配置文件
# vi /usr/local/nginx/conf/nginx.confuser nginx;
worker_processes auto; worker_rlimit_nofile ; events {
worker_connections ;
} error_log logs/error.log warn; http {
include mime.types;
default_type text/html;
server_tokens off;
msie_padding off;
max_ranges ;
charset utf-;
reset_timedout_connection on;
keepalive_disable none; sendfile on;
tcp_nopush on;
tcp_nodelay off;
keepalive_requests ; log_format main '$remote_addr $scheme://$host $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" $request_time $upstream_addr $upstream_cache_status';
log_subrequest on; variables_hash_max_size ;
map_hash_max_size ;
server_names_hash_max_size ;
types_hash_max_size ; open_file_cache max=;
open_file_cache_errors on; keepalive_timeout ;
client_header_timeout ;
client_body_timeout ;
send_timeout ; fastcgi_connect_timeout ;
fastcgi_send_timeout ; include proxy.conf;
include zone.conf;
include upstreams/*.conf;
include sites-enabled/*;
}生成证书的脚本:
#!/bin/sh # create self-signed server certificate: read -p "Enter your domain [www.example.com]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key echo "Create server certificate signing request..." SUBJECT="/C=CN/ST=China/L=Shanghai/O=example.com/OU=example.com/CN=$DOMAIN" openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:"
echo "Copy $DOMAIN.crt to /usr/local/nginx/conf/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /usr/local/nginx/conf/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo " ..."
echo " listen 443 ssl;"
echo " ssl_certificate /usr/local/nginx/conf/ssl/$DOMAIN.crt;"
echo " ssl_certificate_key /usr/local/nginx/conf/ssl/$DOMAIN.key;"
echo "}"
RedHat7配置Nginx实现多域名虚拟主机的SSL/TLS认证(实现单IP以不同证书服务于不同域名)的更多相关文章
- HTTPS-SSL/TSL与SNI的关系以及同IP多域名虚拟主机的SSL/TSL认证
早期的SSLv2根据经典的公钥基础设施PKI(Public Key Infrastructure)设计,它默认认为:一台服务器(或者说一个IP)只会提供一个服务,所以在SSL握手时,服务器端可以确信客 ...
- Apache服务器在80端口配置多域名虚拟主机的方法
我们在配置一台服务器的时候,如果只运行一个站点,往往过于浪费资源.Nginx和Apache都可以通过配置虚拟主机实现多站点.配置虚拟主机的方式主要有两种,一种是多个不同端口对应的多个虚拟主机站点,一种 ...
- 高级运维(二):搭建Nginx服务器、用户认证、基于域名的虚拟主机、SSL虚拟主机、Nginx反向代理
一.搭建Nginx服务器 目标: 在IP地址为192.168.4.5的主机上安装部署Nginx服务,并可以将Nginx服务器,要求编译时启用如下功能: 1> SSL加密功能 2> 设置Ng ...
- lvs,nginx反向代理,虚拟主机
LVS NAT 拓扑 client | | LVS | | ------------------- | | | RS1 RS2 RS3 地址规划如下 机器名称 ip配置 ip配置 备注信息 LVS 1 ...
- nginx的应用【虚拟主机】
Nginx主要应用: 静态web服务器 负载均衡 静态代理虚拟主机 虚拟主机 :虚拟主机,就是把一台物理服务器划分成多个“虚拟”的服务器,这样我们的一台物理服务器就可以当做多个服务器来使用,从而可以配 ...
- nginx之全局设置,location,虚拟主机,日志管理
nginx之全局设置,location,虚拟主机,日志管理 worker_processes 1;//子进程,cpu数*核数 ****************全局设置************** ** ...
- Apache+php+mysql的安装与配置 - 之三(Apache的虚拟主机配置)
Apache+php+mysql的安装与配置 - 之三(Apache的虚拟主机配置) Apache核心(Core)配置 VirtualHost 语法 <VirtualHost addr[:por ...
- [原]生产环境下的nginx.conf配置文件(多虚拟主机)
[原]生产环境下的nginx.conf配置文件(多虚拟主机) 2013-12-27阅读110 评论0 我的生产环境下的nginx.conf配置文件,做了虚拟主机设置的,大家可以根据需求更改,下载即可在 ...
- 简单配置Nginx 指向本地端口,并开启SSL
简单配置Nginx 指向本地端口,并开启SSL,如果要开启SSL,必须使用域名去申请SSL key,一般是两个文件,一般是要收费的. # 在/etc/nginx/nginx.conf 的文件中有下面一 ...
随机推荐
- poj1436 Horizontally Visible Segments
这是一个区间更新的题目,先将区间放大两倍,至于为什么要放大可以这样解释,按照从左到右有4个区间,y值是[1,5],[1,2],[3,4],[1,4]如果不放大的话,查询[1,4]区间和前面区间的”可见 ...
- POJ 2075 Tangled in Cables 最小生成树
简单的最小生成树,不过中间却弄了很久,究其原因,主要是第一次做生成树,很多细节不够熟练,find()函数的循环for判断条件是 pre[i]>=0,也就是遇到pre[i]==-1时停止,i就是并 ...
- Android 获取SDCard中某个目录下图片
本文介绍Android开发中如何获取SDCard中某目录下的所有图片并显示出来,下面的我们提供的这个函数是通用的,只要提供路径就可以查询出该目录下所有图片的路径信息,并保存到一个List<Str ...
- [cocos2dx]计算scrollview元素的index
scrollview的原生代码没有提供元素对齐功能 通过下面介绍的index计算方法以及scrollview自带的设置位置方法 void setContentOffsetInDuration(CCPo ...
- B*tree dump
Oracle的索引是以平衡树的方式组织存储的:保存的是索引列的值,以及该行的rowid的一部分(文件号,块号,行号) 下面我们通过例子来了解一下: 1,create table test(id int ...
- ServiceModel Metadata Utility Tool (Svcutil.exe)
https://msdn.microsoft.com/zh-cn/library/aa347733.aspx 参数: /directory:<directory> Directory to ...
- cssViewer牛逼的chrome插件
很牛逼,功能很强大.
- Jquery Datatables 动态列名
Datatables中文网:http://dt.thxopen.com/index.html 尝试: <table id="sp_table" class="dis ...
- R-note1
R 新手 如果你在R上遇到困难,那么你从这两个地方可以得到解答: http://www.r-project.org/mail.html http://stackoverflow.com/questio ...
- JavaScript高级程序设计40.pdf
DOM0级事件处理程序 就是将一个函数赋值给一个事件处理程序属性,具有简单.跨浏览器优势,首先必须取得一个操作对象的引用,每个元素(包括window和document)都有自己的事件处理程序属性,这些 ...