nginx如何配置https

最新推荐文章于 2025-07-25 11:25:01 发布

原创最新推荐文章于 2025-07-25 11:25:01 发布 · 2.2k 阅读

1 ·

本内容遵循CC 4.0 BY-SA版权协议

标签

#nginx #https #ssl #docker

CentOS 同时被 2 个专栏收录

19 篇文章

订阅专栏

nginx

2 篇文章

订阅专栏

本文介绍了如何通过Docker启动Centos容器，并在其中配置nginx以支持https访问。首先，详细讲述了如何生成自签名的CA证书和服务器证书，接着指导了nginx的安装与配置步骤，以确保web服务可以通过https安全连接。

更多内容请查看原文：nginx如何配置https

nginx如何配置https？我们今天通过Docker容器启动一台Centos服务器，从自签证书，到nginx安装配置，最终完成配置通过https访问web服务。

运行Centos容器

拉取镜像

docker pull centos
Using default tag: latest
latest: Pulling from library/centos
729ec3a6ada3: Pull complete
Digest: sha256:f94c1d992c193b3dc09e297ffd54d8a4f1dc946c37cbeceb26d35ce1647f88d9
Status: Downloaded newer image for centos:latest

如果拉取得慢的话，可以设置国内的registry镜像。

启动Centos容器

docker run -dit centos
759dee099156155c7b55b1e4c67bc7a89a52eed1acf865a9fdc1b299d57c33b1

进入容器

docker exec -it 759dee099156 bash

生成自签名证书

安装openssl工具

yum install openssl

实验原因，我们统一在/opt目录下生成证书。

cd /opt

生成CA证书

生成CA私钥ca.key

openssl genrsa -out ca.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
........................................................................+++++
...............+++++
e is 65537 (0x010001)

注意，centos版本如果是CentOS Linux release 8.0.1905 (Core)版本，私钥长度不能设置成1024位，必须2048位。不然再最后启动nginx时会出如下错误。

nginx: [emerg] SSL_CTX_use_certificate("/opt/server.crt") failed
 (SSL: error:140AB18F:SSL routines:SSL_CTX_use_certificate:ee key too small)

生成ca.csr

openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:Issuer Co., Ltd
Organizational Unit Name (eg, section) []:Issuer Section
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

生成CA证书ca.crt

openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = "Issuer Co., Ltd", OU = Issuer Section, CN = localhost
Getting Private key

生成服务器证书

生成服务器端私钥server.key

openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
.........+++++
...............................................................................................+++++
e is 65537 (0x010001)

生成服务器端公钥server.pem

openssl rsa -in server.key -pubout -out server.pem
writing RSA key

生成服务器端csr

服务器端需要向自己的CA机构申请签名证书，在申请签名证书之前，先创建CSR文件。

openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:My Company
Organizational Unit Name (eg, section) []:My Section
Common Name (eg, your name or your server's hostname) []:localhost
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

向自己的CA机构申请证书，签名过程需要CA的证书和CA的私钥。最终生成服务器端的CA签名证书server.crt和ca.srl

openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = My Company, OU = My Section, CN = localhost
Getting CA Private Key

更多内容请查看原文：nginx如何配置https