CentOS 7.4 实例配置 Nginx + HTTPS 服务

  • A+
所属分类:Linux
高性能企业级服务器首台5折

基于 TCP(以及UDP)协议的 HTTPS(Hyper Text Transfer Protocol Secure)服务,相比 HTTP(Hyper Text Transfer Protocol)服务更安全的原因,在于 HTTPS 的通信协议是由 TLS (Transport Layer Security)或者 SSL(Secure Sockets Layer)加密完成的。因此,使用 HTTPS 服务部署网络服务更加安全可靠。

本文介绍了如何在 CentOS 7.4 实例环境中安装配置 Nginx 的 HTTPS 服务。若您的 ECS 实例为其他 Linux 发行版,操作有部分差异。


前提条件

配置 HTTPS 服务时,您需要预先在 ECS 实例所在的安全组开启 TCP 443 通信端口。参阅 添加安全组规则

若您需要同时测试 HTTP 访问模式,您需要预先在 ECS 实例所在的安全组开启 TCP 80 通信端口。参阅 添加安全组规则

配置 Nginx + HTTPS 服务

根据以下步骤配置 Nginx + HTTPS 服务:

  1. 远程连接 并登录到 Linux 实例。
  2. 运行 
    1
    cd /usr/local

     切换目录。

  3. 运行以下命令安装 PCRE 和 zlib 库。
    1. 1
      <span class="pln"> yum </span><span class="pun">-</span><span class="pln">y <span class="hljs-keyword">install</span> pcre pcre</span><span class="pun">-</span><span class="pln">devel</span>
    2. 1
      <span class="pln"> yum <span class="hljs-keyword">install</span> </span><span class="pun">-</span><span class="pln">y zlib</span><span class="pun">-</span><span class="pln">devel</span>
  4. 前往 https://nginx.org/download/ 下载 Nginx。如示例中 nginx-1.9.9.tar.gz 的下载地址为 http://nginx.org/download/nginx-1.9.9.tar.gz。运行 
    1
    wget http://nginx.org/download/nginx-1.9.9.tar.gz

     下载 Nginx。

    NginxDownload

  5. 运行 
    1
    tar -xvzf nginx-1.9.9.tar.gz

     解压安装包。

  6. 前往 https://www.openssl.org/source 下载 OpenSSL。如示例中 openssl-1.1.0g.tar.gz 的下载地址为 https://www.openssl.org/source/openssl-1.1.0g.tar.gz。运行 
    1
    wget https://www.openssl.org/source/openssl-1.1.0g.tar.gz

     下载 OpenSSL。

    OpenSSLDownload

  7. 运行 
    1
    tar -xvzf openssl-1.1.0g.tar.gz

     解压安装包。

  8. 运行 
    1
    cd nginx-1.9.9

     切换目录。

  9. 依次运行以下命令配置 Nginx。
    1. 1
       <span class="pun">./</span><span class="pln">configure </span><span class="pun">--</span><span class="pln">prefix</span><span class="pun">=</span><span class="str">/usr/</span><span class="kwd"><span class="hljs-keyword">local</span></span><span class="pun">/</span><span class="pln">nginx </span><span class="pun">--</span><span class="kwd"><span class="hljs-keyword">with</span></span><span class="pun">-</span><span class="pln">http_stub_status_module </span><span class="pun">--</span><span class="kwd"><span class="hljs-keyword">with</span></span><span class="pun">-</span><span class="pln">http_gzip_static_module </span><span class="pun">--</span><span class="kwd"><span class="hljs-keyword">with</span></span><span class="pun">-</span><span class="pln">http_ssl_module </span><span class="pun">--</span><span class="kwd"><span class="hljs-keyword">with</span></span><span class="pun">-</span><span class="pln">openssl</span><span class="pun">=</span><span class="str">/usr/</span><span class="kwd"><span class="hljs-keyword">local</span></span><span class="pun">/</span><span class="pln">openssl</span><span class="pun"><span class="hljs-number">-</span></span><span class="lit"><span class="hljs-number">1.1</span></span><span class="pun"><span class="hljs-number">.</span></span><span class="lit"><span class="hljs-number">0</span>g</span>
    2. 1
      <span class="pln"> <span class="hljs-built_in">make</span> </span><span class="pun">&amp;&amp;</span><span class="pln"> <span class="hljs-built_in">make</span> install</span>

    注意
    您需要根据自己下载的 OpenSSL 版本号更改命令中的 /usr/local/openssl-1.1.0g。

    Configure

  10. 运行 
    1
    openssl req -new -x509 -nodes -out server.crt -keyout server.key

     生成证书,并根据您的需要填写信息。GenerateCertificate

  11. 运行 
    1
    vi /usr/local/nginx/conf/nginx.conf

     修改 Nginx 配置文件,示例使用了 

    1
    vi /usr/local/nginx-1.9.9/conf/nginx.conf

     命令。按下 

    1
    i

     键进入编辑,复制并粘贴以下内容后,按 

    1
    Esc

     并输入 

    1
    :wq

     保存退出。

    1. 1
      <span class="pln"><span class="hljs-built_in"> server </span></span><span class="pun">{</span>
    2. 1
      <span class="pln">    <span class="hljs-section">listen</span>       </span><span class="lit"><span class="hljs-number">443</span></span><span class="pln"> ssl</span><span class="pun">;</span>
    3. 1
      <span class="pln">    server_name  localhost</span><span class="pun"><span class="hljs-comment">;</span></span>
    4. 1
      <span class="pln">    ssl_certificate      server</span><span class="pun">.</span><span class="pln">crt</span><span class="pun"><span class="hljs-comment">;</span></span>
    5. 1
      <span class="pln">    ssl_certificate_key  server</span><span class="pun">.</span><span class="pln">key</span><span class="pun"><span class="hljs-comment">;</span></span>
    6. 1
      <span class="pln">    <span class="hljs-selector-tag">ssl_session_cache</span>    <span class="hljs-selector-tag">shared</span></span><span class="pun"><span class="hljs-selector-pseudo">:</span></span><span class="pln"><span class="hljs-selector-pseudo">SSL</span></span><span class="pun"><span class="hljs-selector-pseudo">:</span></span><span class="lit"><span class="hljs-selector-pseudo">1m</span></span><span class="pun">;</span>
    7. 1
      <span class="pln">    ssl_session_timeout  </span><span class="lit"><span class="hljs-number">5</span>m</span><span class="pun"><span class="hljs-comment">;</span></span>
    8. 1
      <span class="pln">    ssl_ciphers  HIGH</span><span class="pun">:!</span><span class="pln">aNULL</span><span class="pun">:!</span><span class="pln">MD5</span><span class="pun">;</span>
    9. 1
      <span class="pln">    ssl_prefer_server_ciphers  <span class="hljs-keyword">on</span></span><span class="pun">;</span>
    10. 1
      <span class="pln">    <span class="hljs-keyword">location</span> </span><span class="pun"><span class="hljs-title">/</span></span> <span class="pun"><span class="hljs-title">{</span></span>
    11. 1
      <span class="pln">        root   html</span><span class="pun"><span class="hljs-comment">;</span></span>
    12. 1
      <span class="pln">        <span class="hljs-keyword">index</span>  <span class="hljs-keyword">index</span></span><span class="pun">.</span><span class="pln">html <span class="hljs-keyword">index</span></span><span class="pun">.</span><span class="pln">htm</span><span class="pun">;</span>
    13. 1
          <span class="pun">}</span>
    14. 1
      <span class="pun">}</span>

    Edit

  12. 运行 
    1
    /usr/local/nginx/sbin/nginx

     启动 Nginx。

测试结果

打开浏览器测试配置结果:

  • 使用 
    1
    ECS 实例的公网 IP 地址

     测试。Test1

  • 使用 HTTPS + 
    1
    ECS 实例的公网 IP 地址

     测试。Test2

 

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: