nginx 源码安装 及ssl配置
准备:libevent-2.0.16-stable.tar.gz nginx-1.4.2.tar.gz
1:拆解
shell>tar -zxvf libevent-2.0.16-stable.tar.gz -C /usr/local/src
shell>tar -zxvf nginx-1.4.2.tar.gz -C /usr/local/src
2:安装
shell>cd /usr/local/src/libevent-2.0.16-stable/
shell>./configure --prefix=/usr/local/libevent
shell>make && make install
shell>vim /etc/ld.so.conf.d/libevent.conf
添加/usr/local/libevent/lib
shell>ln -s /usr/local/libevent/include/ /usr/include/libevent //创建头文件链接
shell>vim /etc/profile
在原PATH上面添加 PATH=$PATH:/usr/local/libevent/bin
shell>rpm -ivh /mnt/cdrom/Server/pcre-devel-6.6-2.el5_1.7.i386.rpm
shell>groupadd -r nginx
shell>useradd -r -g nginx -s/sbin/nologin -M nginx
shell>cd /usr/local/src/nginx-1.4.2/
[[email protected] nginx-1.4.2]# ./configure --prefix=/usr/local/nginx \
> --conf-path=/etc/nginx/nginx.conf \
> --error-log-path=/var/log/nginx/error.log \
> --http-log-path=/var/log/nginx/access.log \
> --pid-path=/var/run/nginx/nginx.pid \
> --lock-path=/var/local/nginx.lock \
> --user=nginx \
> --group=nginx \
> --with-http_ssl_module \
> --with-http_flv_module \
> --with-http_stub_status_module \
> --with-http_gzip_static_module \
> --http-client-body-temp-path=/var/tmp/nginx/client/ \
> --http-proxy-temp-path=/var/tmp/nginx/proxy/ \
> --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
> --with-pcre
shell>make && make install
shell>mkdir -p /var/tmp/nginx/client
shell>cd /usr/local/nginx/sbin
shell>./nginx
3:测试 打开浏览器输入安装nginx的IP地址看到下面的内容说明安装成功
Welcome to nginx!
SSL配置
1修改vim /etc/pki/tls/openssl.cnf
45 dir = /etc/pki/CA # 修改dir路径
87 [ policy_match ]
88 countryName = optional #将88-90的match该为optional
89 stateOrProvinceName = optional
90 organizationName = optional
136 countryName_default = CN #修改默认国家为中国
141 stateOrProvinceName_default = HeNan#默认省份河南
144 localityName_default = ZhengZhou#默认城市郑州
2:产生CA证书
[[email protected] CA]# mkdir certs newcerts crl #创建CA相关目录和文件
[[email protected] CA]# touch index.txt serial
[[email protected] CA]# echo "01">serial
[[email protected] CA]# openssl genrsa 1024 >private/cakey.pem #产生CA的私钥
[[email protected] CA]# openssl req -new -key private/cakey.pem -x509 -out cacert.pem#产生CA的证书You are about to be asked to enter information that will be incorporated
into your certificate request.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeNan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company) [My Company Ltd]:king
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:Root.Ca.Net
Email Address []:[email protected]
产生服务器的证书
[[email protected] /]# mkdir /usr/local/nginx/certs #在nginx的安装目录下创建一个存放证书的目录
[[email protected] certs]# openssl genrsa 1024 >nginx.key #产生私钥
[[email protected] certs]# openssl req -new -key nginx.key -out nginx.req 产生请求文件
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [HeNan]:
Locality Name (eg, city) [ZhengZhou]:
Organization Name (eg, company) [My Company Ltd]:zzdx
Organizational Unit Name (eg, section) []:tec
Common Name (eg, your name or your server's hostname) []:www.tec.com
Email Address []:[email protected]
[[email protected] certs]# chmod 600 nginx.key #修改私钥文件的读取权限
[[email protected] certs]# openssl ca -in nginx.req -out nginx.cert #产生证书
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 1 09:32:29 2013 GMT
Not After : Sep 1 09:32:29 2014 GMT
Subject:
countryName = CN
stateOrProvinceName = HeNan
organizationName = zzdx
organizationalUnitName = tec
commonName = www.tec.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
7A:B1:1B:38:C6:CC:4F:E4:FB:56:AE:01:9D:6E:AF:36:D1:06:4B:82
X509v3 Authority Key Identifier:
keyid:9B:66:96:94:87:6E:C4:58:99:4B:6D:F1:5B:00:C0:4E:52:72:0C:8D
Certificate is to be certified until Sep 1 09:32:29 2014 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated #没有出现这两句话说明没有申请成功
3:由于nginx的配置文件中不能指定CA根证书的路径,所以需要将CA证书与web服务器的证书合并为一个证书
[[email protected] certs]# cp /etc/pki/CA/cacert.pem ./
[[email protected] certs]# cat nginx.cert cacert.pem >web.cert
4:修改配置文件/etc/nginx/nginx.conf
35 server {
36 listen 192.168.1.110:80; #安装nginx的本机地址
37 server_name www.tec.com;
96 HTTPS server #去掉#好开启功能
将server中的描述复制到下面几行以免出错时无法复原
server {
119 listen 443;
120 server_name www.tec.com;
121
122 ssl on;
123 ssl_certificate /usr/local/nginx/certs/web.cert; #合并后的证书存放位置
124 ssl_certificate_key /usr/local/nginx/certs/nginx.key; #私钥存放位置
125
126 # ssl_session_timeout 5m;
127
128 # ssl_protocols SSLv2 SSLv3 TLSv1;
129 # ssl_ciphers HIGH:!aNULL:!MD5;
130 # ssl_prefer_server_ciphers on;
131
132 location / {
133 root /usr/local/nginx/html;
134 index index.html index.htm;
135 }
136 }
然后重启nginx测试(在测试的主机上修改hosts文件使服务器地址与域名相对应)
转载于:https://blog.51cto.com/jinkaiye/1286661