编译安装nginx

[root@nginx ~]# rpm -e httpd --nodeps

[root@nginx ~]# netstat -anpt | grep 80

[root@nginx ~]# yum -y install pcre zlib pcre-devel zlib-devel

[root@nginx ~]# useradd -M -s /sbin/nologin nginx

[root@nginx ~]# tar xf nginx-1.6.2.tar.gz -C /usr/src/

[root@nginx ~]# cd /usr/src/nginx-1.6.2/

[root@nginx nginx-1.6.2]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-file-aio --with-http_gzip_static_module --with-http_flv_module --with-http_ssl_module --with-pcre

[root@nginx nginx-1.6.2]# make && make install

[root@nginx ~]# ln -s /usr/local/nginx/sbin/* /usr/local/sbin/

[root@nginx ~]# vim /etc/init.d/nginx 启动管理脚本，可以不用

#!/bin/bash

# chkconfig: 2345 99 20

# description: Nginx Server Control Script

PROG="/usr/local/nginx/sbin/nginx"

PIDF="/usr/local/nginx/logs/nginx.pid"

case "$1" in

start)

$PROG

;;

stop)

kill -s QUIT $(cat $PIDF)

;;

restart)

$0 stop

$0 start

;;

reload)

kill -s HUP $(cat $PIDF)

;;

*)

echo "Usage: $0 {start|stop|restart|reload}"

exit 1

esac

exit 0

[root@nginx ~]# chmod +x /etc/init.d/nginx

[root@nginx ~]# chkconfig --add nginx

[root@nginx ~]# chkconfig --list nginx

nginx 0:关闭1:关闭2:启用3:启用4:启用5:启用6:关闭

配置nginx

创建网站目录和测试主页

[root@nginx ~]# mkdir /usr/local/nginx/html/test

[root@nginx ~]# echo "<h1>Hello Word</h1>"> /usr/local/nginx/html/test/index.html

主配置文件修改如下目录位置：

root html/test;

启动服务，访问测试

[root@nginx ~]# nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@nginx ~]# service nginx start

[root@nginx ~]# netstat -anpt | grep 80

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 3864/nginx

安装openssl

[root@CA ~]# rpm -qa | grep "openssl"

openssl-devel-1.0.1e-15.el6.x86_64

openssl-1.0.1e-15.el6.x86_64

在CA上生成私钥

首先生成私钥，使用openssl命令，genrsa是指定算法为rsa，-out是指定保存路径和名称，2048是长度，由于私钥是保密的，所以用umask设置权限，生成后权限就是600。

[root@CA ~]# cd /etc/pki/CA/

[root@CA CA]# (umask 077; openssl genrsa -out private/cakey.pem 2048)

Generating RSA private key, 2048 bit long modulus

............................+++

..........................................................................................................................+++

e is 65537 (0x10001)

[root@CA CA]# ls

certs crl newcerts private

[root@CA CA]# cd private/

[root@CA private]# ll

total 4

-rw-------. 1 root root 1675 Apr 23 20:57 cakey.pem

生成自签证书

openssl req参数意思是生产证书 -new是新建证书 -key指定私钥文件 -out是指定保存的路径和文件名 -days是指定有效期

[root@CA private]# cd ..

[root@CA CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:elements

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:elements.org.cn

Email Address []:service@elements.org.cn

[root@CA CA]# ls

cacert.pem certs crl newcerts private

[root@nginx CA]# touch serial

[root@nginx CA]# touch index.txt

[root@nginx CA]# echo 01 > serial

web服务器申请证书

创建web服务器证书存放的目录

[root@nginx ~]# cd /usr/local/nginx/

[root@nginx nginx]# mkdir ssl

[root@nginx nginx]# cd ssl

生成密钥

[root@nginx ssl]# (umask 077; openssl genrsa 1024 > httpd.key)

Generating RSA private key, 1024 bit long modulus

............................++++++

.................................................................++++++

e is 65537 (0x10001)

[root@nginx ssl]# ls

httpd.key

生成证书申请请求（这是一个请求）

[root@nginx ssl]# openssl req -new -key httpd.key -out httpd.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:el*****

Organizational Unit Name (eg, section) []:tech

Common Name (eg, your name or your server's hostname) []:ele****s.org.cn

Email Address []:service@elements.org.cn

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: 回车

An optional company name []: 回车

[root@nginx ssl]# ls

httpd.csr httpd.key

CA签署服务器申请的证书

[root@nginx ssl]# openssl ca -in /usr/local/nginx/ssl/httpd.csr -out /usr/local/nginx/ssl/httpd.crt -days 365

Using configuration from /etc/pki/tls/openssl.cnf

Check that the request matches the signature

Signature ok

Certificate Details:

Serial Number: 1 (0x1)

Validity

Not Before: Apr 23 05:31:52 2017 GMT

Not After : Apr 23 05:31:52 2018 GMT

Subject:

countryName = CN

stateOrProvinceName = beijing

organizationName = elements

organizationalUnitName = tech

commonName = elements.org.cn

emailAddress = service@elements.org.cn

X509v3 extensions:

X509v3 Basic Constraints:

CA:FALSE

Netscape Comment:

OpenSSL Generated Certificate

X509v3 Subject Key Identifier:

6E:A7:E7:8D:8B:DA:66:61:50:18:05:6F:C7:AD:03:C6:EA:F7:D0:F7

X509v3 Authority Key Identifier:

keyid:AB:4E:8B:16:2D:A6:29:84:2F:ED:1F:E4:F4:5A:A7:02:B7:52:53:FD

Certificate is to be certified until Apr 23 05:31:52 2018 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@nginx ssl]# ls

httpd.crt httpd.csr httpd.key

配置web服务器使用此证书

[root@nginx ssl]# vim /usr/local/nginx/conf/nginx.conf

server {

listen 443;

ssl on;

ssl_certificate /usr/local/nginx/ssl/httpd.crt;

ssl_certificate_key /usr/local/nginx/ssl/httpd.key;

}

[root@nginx ssl]# nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfu

[root@nginx ssl]# service nginx stop

[root@nginx ssl]# service nginx start

[root@nginx ssl]# netstat -anpt | grep 443

tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4865/nginx

tcp 0 0 192.168.3.101:443 192.168.3.99:56275 ESTABLISHED 4866/nginx