ubuntu16.04 nginx创建自签名SSL证书

创建SSL证书

$ sudo mkdir /etc/nginx/ca
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ca/nginx-selfsigned.key -out /etc/nginx/ca/nginx-selfsigned.crt

-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Ltd            
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:192.168.20.237
Email Address []:   

 

前向保密

$ sudo openssl dhparam -out /etc/nginx/ca/dhparam.pem 2048

配置nginx使用ssl

先备份配置文件

$ cd /etc/nginx/conf.d/
$ sudo cp default.conf default.conf_bak

修改default.conf
只支持https访问

server {
    listen       443 ssl default_server;
    #server_name  localhost;
    ssl_certificate /etc/nginx/ca/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/ca/nginx-selfsigned.key;


    ssl_dhparam /etc/nginx/ca/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

    ...
}

支持http/https访问

server {
    listen 80 default_server;
    server_name 192.168.20.237; # 可替换成域名
    return 301 https://$server_name$request_uri;
}

server {
    listen       443 ssl default_server;
    #server_name  localhost;
    ssl_certificate /etc/nginx/ca/nginx-selfsigned.crt;
    ssl_certificate_key /etc/nginx/ca/nginx-selfsigned.key;


    ssl_dhparam /etc/nginx/ca/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
     
     ...
}

检测配置、启动服务器

# 检查配置文件是否正确
$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 启动nginx
$ sudo service nginx start