1、Winodw安装openssl工具(生成SSL证书用的)免编译版本下载:

http://slproweb.com/products/Win32OpenSSL.html

 

注意:如果openssl在使用过程中报无法读取conf文件,重启下电脑就好了

Cmd里面的全部命令:

C:\OpenSSL-Win64>cd bin

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ssd.key 1024

Generating RSA private key, 1024 bit long modulus

….++++++

……..++++++

e is 65537 (0x10001)

Enter pass phrase for ssd.key:    —123456

Verifying – Enter pass phrase for ssd.key:  —123456

 

C:\OpenSSL-Win64\bin>openssl req -new -key ssd.key -out ssd.csr

Enter pass phrase for ssd.key:   —123456

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter \’.\’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:guangdong

Locality Name (eg, city) []:zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

Organizational Unit Name (eg, section) []:ssd

Common Name (e.g. server FQDN or YOUR name) []:yuange

Email Address []:1871707128@qq.com

 

Please enter the following \’extra\’ attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:ssd

 

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -shal -extensions v3_ca -sign

key ssd.key -in ssd.csr -out ssd.crt

unknown option -shal             —-这里面错的原因是:sha1不是shal

usage: x509 args

 -inform arg     – input format – default PEM (one of DER, NET or PEM)

 -outform arg    – output format – default PEM (one of DER, NET or PEM)

 -keyform arg    – private key format – default PEM

 -CAform arg     – CA format – default PEM

 -CAkeyform arg  – CA key format – default PEM

 -in arg         – input file – default stdin

 -out arg        – output file – default stdout

 -passin arg     – private key password source

 -serial         – print serial number value

 -subject_hash   – print subject hash value

 -subject_hash_old   – print old-style (MD5) subject hash value

 -issuer_hash    – print issuer hash value

 -issuer_hash_old    – print old-style (MD5) issuer hash value

 -hash           – synonym for -subject_hash

 -subject        – print subject DN

 -issuer         – print issuer DN

 -email          – print email address(es)

 -startdate      – notBefore field

 -enddate        – notAfter field

 -purpose        – print out certificate purposes

 -dates          – both Before and After dates

 -modulus        – print the RSA key modulus

 -pubkey         – output the public key

 -fingerprint    – print the certificate fingerprint

 -alias          – output certificate alias

 -noout          – no certificate output

 -ocspid         – print OCSP hash values for the subject name and public key

 -ocsp_uri       – print OCSP Responder URL(s)

 -trustout       – output a “trusted” certificate

 -clrtrust       – clear all trusted purposes

 -clrreject      – clear all rejected purposes

 -addtrust arg   – trust certificate for a given purpose

 -addreject arg  – reject certificate for a given purpose

 -setalias arg   – set certificate alias

 -days arg       – How long till expiry of a signed certificate – def 30 days

 -checkend arg   – check whether the cert expires in the next arg seconds

                   exit 1 if so, 0 if not

 -signkey arg    – self sign cert with arg

 -x509toreq      – output a certification request object

 -req            – input is a certificate request, sign and output.

 -CA arg         – set the CA certificate, must be PEM format.

 -CAkey arg      – set the CA key, must be PEM format

                   missing, it is assumed to be in the CA file.

 -CAcreateserial – create serial number file if it does not exist

 -CAserial arg   – serial file

 -set_serial     – serial number to use

 -text           – print the certificate in text form

 -C              – print out C code forms

 -md2/-md5/-sha1/-mdc2 – digest to use

 -extfile        – configuration file with X509V3 extensions to add

 -extensions     – section from config file with X509V3 extensions to add

 -clrext         – delete extensions before signing and input certificate

 -nameopt arg    – various certificate name options

 -engine e       – use engine e, possibly a hardware device.

 -certopt arg    – various certificate text options

 -checkhost host – check certificate matches “host”

 -checkemail email – check certificate matches “email”

 -checkip ipaddr – check certificate matches “ipaddr”

 

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500  -extensions v3_ca -signkey s

sd.key -in ssd.csr -out ssd.crt

Signature ok

subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

28@qq.com

Getting Private key      –123456

Enter pass phrase for ssd.key:    –123456

 

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

…………………………………..+++

…+++

e is 65537 (0x10001)

Enter pass phrase for server.key:  —123456

Verifying – Enter pass phrase for server.key:  —123456

 

C:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:   —123456

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter \’.\’, the field will be left blank.

—–

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:guangdong

Locality Name (eg, city) []:zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

Organizational Unit Name (eg, section) []:ssd

Common Name (e.g. server FQDN or YOUR name) []:yuange

Email Address []:1871707128@qq.com

 

Please enter the following \’extra\’ attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:ssd

 

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -md5 -extensions v3_req -CA s

sd.crt -CAkey ssd.key -CAcreateserial -in server.csr -out server.crt

Signature ok

subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

28@qq.com

Getting CA Private Key   —123456

Enter pass phrase for ssd.key:  —123456

 

以上的密码全部都是123456

 

注意:以上生成的证书保存在openssl/bin目录下,然后把生成的证书拷贝到nginx/conf的目录下,在这里面我只拷贝了server.crt  server.key

 

2、什么都配置好后发现:

Nginx -t 编译成功,但是运行的时候就自动关闭了,查看日志的时候报错了:

 

 

查了好久,终于知道了原因:

Windows下的nginx配置sslkey是不能存储密码的,否则就会报这个错

解决办法:

cmdcd openssl/bin的目录下,输入:

Openssl rsa -in  C:\OpenSSL-Win64\bin\server.key  -out c:/server.key.unsecure

输入server.key当初设置的密码,这里面是123456

 

然后在C根目录下可以看到:成功

 

 

server.key.unsecure替换在nginx.conf文件中的server.key内容  即可

 3、配置nginx.conf

  1 #使用的用户和组,window下不指定
  2 #user nobody;
  3 #指定工作衍生进程数(一般等于CPU总和数或总和数的两倍,例如两个四核CPU,则总和数为8)
  4 worker_processes 3;
  5 #指定错误日志文件存放路径,错误日志级别可选项为【debug|info|notice|warn|error|crit】
  6 #error_log logs/error.log;
  7 #error_log logs/error.log notice;
  8 error_log logs/error.log info;
  9 #指定pid存放路径
 10 #pid logs/nginx.pid; 
 11 
 12 #工作模式及连接数上限
 13 events {
 14 #使用网络I/O模型,Linux系统推荐使用epoll模型,FreeBSD系统推荐使用kqueue;window下不指定
 15 #use epoll;
 16 #允许的连接数
 17 worker_connections 1024;
 18 } 
 19 
 20 #设定http服务器,利用他的反向代理功能提供负载均衡支持
 21 http {
 22 #设定mime类型
 23 include mime.types;
 24 default_type application/octet-stream;
 25 #设定日志格式
 26 #log_format main \'$remote_addr - $remote_user [$time_local] "$request" \'
 27 # \'$status $body_bytes_sent "$http_referer" \'
 28 # \'"$http_user_agent" "$http_x_forwarded_for"\'; 
 29 
 30 
 31 #设定请求缓冲
 32 client_header_buffer_size 1k;
 33 large_client_header_buffers 4 4k; 
 34 
 35 #设定access log
 36 #access_log logs/access.log main;
 37 client_header_timeout 3m;
 38 client_body_timeout 3m;
 39 send_timeout 3m; 
 40 
 41 sendfile on;
 42 tcp_nopush on;
 43 tcp_nodelay on;
 44 #keepalive_timeout 0;
 45 keepalive_timeout 65; 
 46 
 47 #开启gzip模块
 48 gzip on;
 49 gzip_min_length 1100;
 50 gzip_buffers 4 8k;
 51 gzip_types text/plain application/x-javascript text/css application/xml; 
 52 
 53 output_buffers 1 32k;
 54 postpone_output 1460; 
 55 
 56 server_names_hash_bucket_size 128;
 57 client_max_body_size 8m; 
 58 
 59 fastcgi_connect_timeout 300;
 60 fastcgi_send_timeout 300;
 61 fastcgi_read_timeout 300;
 62 fastcgi_buffer_size 64k;
 63 fastcgi_buffers 4 64k;
 64 fastcgi_busy_buffers_size 128k;
 65 fastcgi_temp_file_write_size 128k;
 66 gzip_http_version 1.1;
 67 gzip_comp_level 2;
 68 gzip_vary on; 
 69 
 70 #设定负载均衡的服务器列表
 71 upstream url{
 72 #根据ip计算将请求分配各那个后端tomcat,可以解决session问题
 73 #ip_hash;
 74 #同一机器在多网情况下,路由切换,ip可能不同
 75 #weigth参数表示权值,权值越高被分配到的几率越大
 76 #server localhost:8080 weight=1;
 77 #server 10.152.252.160:8443 weight=2;
 78 #server 10.152.252.162:8443 weight=20;
 79 server 10.152.252.160:8443 max_fails=2 fail_timeout=600s;
 80 server 10.152.252.162:8443 max_fails=2 fail_timeout=600s;
 81 } 
 82 
 83 #设定虚拟主机
 84 server {
 85 listen 8080;
 86 #server_name 10.152.252.160; 
 87 
 88 #proxy_pass https://url;
 89 rewrite ^(.*)$ https://$host:8443$1 permanent;
 90 #charset koi8-r;
 91 charset UTF-8;
 92 #设定本虚拟主机的访问日志
 93 #access_log logs/host.access.log main;
 94 
 95 #error_page 404 /404.html; 
 96 
 97 # redirect server error pages to the static page /50x.html
 98 #
 99 error_page 500 502 503 504 /50x.html;
100 location = /50x.html {
101 root html;
102 } 
103 }
104 # HTTPS server
105 server {
106  listen 443;
107  listen 8444;
108  server_name 10.152.252.160; 
109 
110  ssl on;
111  ssl_certificate server.crt;
112  ssl_certificate_key server.key.unsecure; 
113 
114  ssl_session_timeout 5m; 
115 
116  ssl_protocols SSLv2 SSLv3 TLSv1;
117  ssl_ciphers HIGH:!aNULL:!MD5;
118  ssl_prefer_server_ciphers on; 
119 
120  location / {
121  root html;
122  index index.html index.htm;
123 
124  proxy_redirect off;
125  #保留用户真实信息
126  proxy_set_header Host $host;
127  proxy_set_header X-Real-IP $remote_addr;
128  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
129  
130  proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;
131  proxy_max_temp_file_size 128m; 
132 
133  proxy_pass https://url;
134  }
135 } 
136 }

View Code

 

版权声明:本文为qq1871707128原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://www.cnblogs.com/qq1871707128/p/7078232.html