#编译安装nginx
[root@centos8 ~]#yum -y install gcc pcre-devel openssl-devel zlib-devel
[root@centos8 ~]#useradd -s /sbin/nologin nginx
[root@centos8 ~]#cd /usr/local/src/
[root@centos8 src]#wget http://nginx.org/download/nginx-1.18.0.tar.gz
[root@centos8 src]#tar xf nginx-1.18.0.tar.gz
[root@centos8 src]#cd nginx-1.18.0/
[root@centos8 nginx-1.18.0]#./configure --prefix=/apps/nginx \
--user=nginx \
--group=nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module
[root@centos8 nginx-1.18.0]#make && make install
[root@centos8 nginx-1.18.0]#chown -R nginx.nginx /apps/nginx
[root@centos8 nginx-1.18.0]#ll /apps/nginx/
total 0
drwxr-xr-x 2 nginx nginx 333 Nov 23 18:36 conf
drwxr-xr-x 2 nginx nginx 40 Nov 23 18:36 html
drwxr-xr-x 2 nginx nginx 6 Nov 23 18:36 logs
drwxr-xr-x 2 nginx nginx 19 Nov 23 18:36 sbin
[root@centos8 nginx-1.18.0]#ln -s /apps/nginx/sbin/nginx /usr/sbin/
[root@centos8 nginx-1.18.0]#vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target
[Service]
Type=forking
PIDFile=/apps/nginx/run/nginx.pid
ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID
[Install]
WantedBy=multi-user.target
[root@centos8 nginx-1.18.0]#mkdir /apps/nginx/run/
[root@centos8 nginx-1.18.0]#vim /apps/nginx/conf/nginx.conf
pid /apps/nginx/run/nginx.pid;
[root@centos8 nginx-1.18.0]#systemctl daemon-reload
[root@centos8 nginx-1.18.0]#systemctl enable --now nginx
Created symlink /etc/systemd/system/multi-user.target.wants/nginx.service → /usr/lib/systemd/system/nginx.service.
[root@centos8 nginx-1.18.0]#systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: active (running) since Tue 2021-11-23 18:54:29 CST; 2min 3s ago
Docs: http://nginx.org/en/docs/
Process: 39773 ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf (code=exi>
Main PID: 39774 (nginx)
Tasks: 2 (limit: 50407)
Memory: 2.1M
CGroup: /system.slice/nginx.service
├─39774 nginx: master process /apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.>
└─39775 nginx: worker process
Nov 23 18:54:29 centos8.magedu.org systemd[1]: Starting nginx - high performance web serve>
Nov 23 18:54:29 centos8.magedu.org systemd[1]: Started nginx - high performance web server.
#实现多域名 https
Nginx 支持基于单个IP实现多域名的功能,并且还支持单IP多域名的基础之上实现HTTPS,其实是基于Nginx的 SNI(Server Name Indication)功能实现,SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能,其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名(Hostname),这样服务器再根据这个域名返回给客户端一个合适的证书。
#自签名CA证书
[root@centos8 ~]#mkidr /apps/nginx/certs/
[root@centos8 ~]#cd /apps/nginx/certs/
[root@centos8 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a RSA private key
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家代码
State or Province Name (full name) []:Hubei #省份
Locality Name (eg, city) [Default City]:Hubei #城市名称
Organization Name (eg, company) [Default Company Ltd]:abc.com#公司名称
Organizational Unit Name (eg, section) []:abc #部门
Common Name (eg, your name or your server's hostname) []:ca.abc.com #通用名称
Email Address []: #邮箱
#自制key和csr文件
[root@centos8 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.abc.com.key -out www.abc.com.csr
Generating a RSA private key
..........++++
...................................................................................++++
writing new private key to 'www.abc.com.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Hubei
Locality Name (eg, city) [Default City]:Hubei
Organization Name (eg, company) [Default Company Ltd]:abc.com
Organizational Unit Name (eg, section) []:abc
Common Name (eg, your name or your server's hostname) []:www.abc.com
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
#签发证书
[root@centos8 certs]#openssl x509 -req -days 3650 -in www.abc.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.abc.com.crt
Signature ok
subject=C = CN, ST = Hubei, L = Hubei, O = abc.com, OU = abc, CN = www.abc.com
Getting CA Private Key
#验证证书内容
[root@centos8 certs]#openssl x509 -in www.abc.com.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
12:35:44:96:ff:f9:42:49:76:f3:1e:60:3a:de:2e:42:c0:d5:30:ed
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = Hubei, L = Hubei, O = abc.com, OU = abc, CN = ca.abc.com
Validity
Not Before: Nov 23 11:19:04 2021 GMT
Not After : Nov 21 11:19:04 2031 GMT
Subject: C = CN, ST = Hubei, L = Hubei, O = abc.com, OU = abc, CN = www.abc.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
#合并CA和服务器证书成一个文件,注意服务器证书在前
[root@centos8 certs]##cat www.abc.com.crt ca.crt > www.abc.com.pem
#Nginx 配置
[root@centos8 certs]#vim /apps/nginx/conf/nginx.conf
#最后一个}后面加上
include /apps/nginx/conf/conf.d/*.conf;
[root@centos8 certs]#mkdir /apps/nginx/conf/conf.d
[root@centos8 certs]#vim /apps/nginx/conf/conf.d/mobile.conf
server {
listen 80 default_server;
server_name www.abc.com;
rewrite ^(.*)$ https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name www.abc.com;
ssl_certificate /apps/nginx/certs/www.abc.com.pem;
ssl_certificate_key /apps/nginx/certs/www.abc.com.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
root "/data/nginx/html/mobile";
}
location /mobile_status {
stub_status;
}
}
[root@centos8 certs]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
#创建网站的测试数据
[root@centos8 certs]#mkdir -pv /data/nginx/html/mobile
mkdir: created directory '/data'
mkdir: created directory '/data/nginx'
mkdir: created directory '/data/nginx/html'
mkdir: created directory '/data/nginx/html/mobile'
[root@centos8 certs]#vim /data/nginx/html/mobile/index.html
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>谭亮的网页</title>
<style type="text/css">
h1{
background-color: red;
margin: 0;
float: right;
color: yellow;
}
</style>
</head>
<body>
<h1>欢迎来到我的网页空间!</H1>
</body>
</html>
#重新加载nginx
[root@centos8 certs]#nginx -s reload
#windows系统访问需要该hosts文件,访问https需要导入ca.crt证书。
#linux导入证书方法:
[root@centos8 certs]#cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
[root@centos8 certs]#curl https://www.abc.com
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>谭亮的网页</title>
<style type="text/css">
h1{
background-color: red;
margin: 0;
float: right;
color: yellow;
}
</style>
</head>
<body>
<h1>欢迎来到我的网页空间!</H1>
</body>
</html>
[root@centos8 certs]#curl http://www.abc.com
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.18.0</center>
</body>
</html>
[root@centos8 certs]#curl -L http://www.abc.com
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>谭亮的网页</title>
<style type="text/css">
h1{
background-color: red;
margin: 0;
float: right;
color: yellow;
}
</style>
</head>
<body>
<h1>欢迎来到我的网页空间!</H1>
</body>
</html>