编译安装nginx[root@nginx ~]# rpm -e httpd --nodeps [root@nginx ~]# netstat -anpt | grep 80 [root@nginx ~]# yum -y install pcre zlib pcre-devel zlib-devel [root@nginx ~]# useradd -M -s /sbin/nologin nginx [root@nginx ~]# tar xf nginx-1.6.2.tar.gz -C /usr/src/ [root@nginx ~]# cd /usr/src/nginx-1.6.2/ [root@nginx nginx-1.6.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-file-aio --with-http_gzip_static_module --with-http_flv_module --with-http_ssl_module --with-pcre [root@nginx nginx-1.6.2]# make && make install [root@nginx ~]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/ [root@nginx ~]# vim /etc/init.d/nginx 启动管理脚本,可以不用 #!/bin/bash # chkconfig: 2345 99 20 # description: Nginx Server Control Script PROG='/usr/local/nginx/sbin/nginx' PIDF='/usr/local/nginx/logs/nginx.pid' case '$1' in start) $PROG ;; stop) kill -s QUIT $(cat $PIDF) ;; restart) $0 stop $0 start ;; reload) kill -s HUP $(cat $PIDF) ;; *) echo 'Usage: $0 {start|stop|restart|reload}' exit 1 esac exit 0 [root@nginx ~]# chmod +x /etc/init.d/nginx [root@nginx ~]# chkconfig --add nginx [root@nginx ~]# chkconfig --list nginx nginx 0:关闭 1:关闭 2:启用 3:启用 4:启用 5:启用 6:关闭 配置nginx创建网站目录和测试主页 [root@nginx ~]# mkdir /usr/local/nginx/html/test [root@nginx ~]# echo ' 主配置文件修改如下目录位置: root html/test; 启动服务,访问测试 [root@nginx ~]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful [root@nginx ~]# service nginx start [root@nginx ~]# netstat -anpt | grep 80 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3864/nginx 安装openssl [root@CA ~]# rpm -qa | grep 'openssl' openssl-devel-1.0.1e-15.el6.x86_64 openssl-1.0.1e-15.el6.x86_64 在CA上生成私钥首先生成私钥,使用openssl命令,genrsa是指定算法为rsa,-out是指定保存路径和名称,2048是长度,由于私钥是保密的,所以用umask设置权限,生成后权限就是600。 [root@CA ~]# cd /etc/pki/CA/ [root@CA CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048) Generating RSA private key, 2048 bit long modulus ............................+++ ..........................................................................................................................+++ e is 65537 (0x10001) [root@CA CA]# ls certs crl newcerts private [root@CA CA]# cd private/ [root@CA private]# ll total 4 -rw-------. 1 root root 1675 Apr 23 20:57 cakey.pem 生成自签证书openssl req参数意思是生产证书 -new是新建证书 -key指定私钥文件 -out是指定保存的路径和文件名 -days是指定有效期 [root@CA private]# cd .. [root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:elements Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:elements.org.cn Email Address []:service@elements.org.cn [root@CA CA]# ls cacert.pem certs crl newcerts private [root@nginx CA]# touch serial [root@nginx CA]# touch index.txt [root@nginx CA]# echo 01 > serial web服务器申请证书创建web服务器证书存放的目录[root@nginx ~]# cd /usr/local/nginx/ [root@nginx nginx]# mkdir ssl [root@nginx nginx]# cd ssl 生成密钥[root@nginx ssl]# (umask 077; openssl genrsa 1024 > httpd.key) Generating RSA private key, 1024 bit long modulus ............................++++++ .................................................................++++++ e is 65537 (0x10001) [root@nginx ssl]# ls httpd.key 生成证书申请请求(这是一个请求)[root@nginx ssl]# openssl req -new -key httpd.key -out httpd.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:el***** Organizational Unit Name (eg, section) []:tech Common Name (eg, your name or your server's hostname) []:ele****s.org.cn Email Address []:service@elements.org.cn Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: 回车 An optional company name []: 回车 [root@nginx ssl]# ls httpd.csr httpd.key CA签署服务器申请的证书[root@nginx ssl]# openssl ca -in /usr/local/nginx/ssl/httpd.csr -out /usr/local/nginx/ssl/httpd.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Apr 23 05:31:52 2017 GMT Not After : Apr 23 05:31:52 2018 GMT Subject: countryName = CN stateOrProvinceName = beijing organizationName = elements organizationalUnitName = tech commonName = elements.org.cn emailAddress = service@elements.org.cn X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 6E:A7:E7:8D:8B:DA:66:61:50:18:05:6F:C7:AD:03:C6:EA:F7:D0:F7 X509v3 Authority Key Identifier: keyid:AB:4E:8B:16:2D:A6:29:84:2F:ED:1F:E4:F4:5A:A7:02:B7:52:53:FD Certificate is to be certified until Apr 23 05:31:52 2018 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@nginx ssl]# ls httpd.crt httpd.csr httpd.key 配置web服务器使用此证书[root@nginx ssl]# vim /usr/local/nginx/conf/nginx.conf server { listen 443; ssl on; ssl_certificate /usr/local/nginx/ssl/httpd.crt; ssl_certificate_key /usr/local/nginx/ssl/httpd.key; } [root@nginx ssl]# nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfu [root@nginx ssl]# service nginx stop [root@nginx ssl]# service nginx start [root@nginx ssl]# netstat -anpt | grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4865/nginx tcp 0 0 192.168.3.101:443 192.168.3.99:56275 ESTABLISHED 4866/nginx |
|
来自: Bladexu的文库 > 《技术文摘》