仅用于编译安装的,yum等方式安装的默认支持ssl
自己入门时折腾玩的,无太大实用意义
安装编译
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
新建目录
cd /../nginx
mkdir cert
上传 ssl文件key、pem(或其他格式) 到nginx 目录
......
修改配置文件
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/cert/4473342_a.wang.pem;
ssl_certificate_key /usr/local/nginx/cert/4473342_a.wang.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
80端口跳转443配置
server{
listen 80;
server_name example.com www.example.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
nginx ssl相关配置指令
ssl
ssl_protocols
ssl_buffer_size
ssl_password_file
ssl_certificate /root/project/ssl/nginx.crt; #证书路径
ssl_certificate_key /root/project/ssl/nginx.key; #key密钥路径
ssl_session_cache shared:SSL:1m; #s储存SSL会话的缓存类型和大小 1m = 4000会话
ssl_session_timeout 5m; #会话过期时间
ssl_session_ticktes off
ssl_session_tickte_key x.key
ssl_ciphers HIGH:!aNULL:!MD5; #为建立安全连接,服务器所允许的密码格式列表
ssl_prefer_server_ciphers on; #依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
ssl_dhparam x.pen
ssl_ecdh_curve auto
ssl_early_data
ssl_verify_client on
ssl_verify_depth
ssl_crl
ssl_client_certificate
ssL_trusted_certificate
ssL_stapling
ssL_stapling_file
ssL_stapling_responder
ssL_stapling_verify
