mkdir -p /usr/local/etc/ssl/certs
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /usr/local/etc/ssl/private/nginx-selfsigned.key -out /usr/local/etc/ssl/certs/nginx-selfsigned.crt
sudo openssl dhparam -out /usr/local/etc/ssl/certs/dhparam.pem 128
mkdir -p /usr/local/etc/nginx/snippets
touch /usr/local/etc/nginx/snippets/self-signed.conf
sudo vim /usr/local/etc/nginx/snippets/self-signed.conf
填入
ssl_certificate /usr/local/etc/ssl/certs/nginx-selfsigned.crt;
ssl_certificate_key /usr/local/etc/ssl/private/nginx-selfsigned.key;touch /usr/local/etc/nginx/snippets/ssl-params.conf
sudo vim /usr/local/etc/nginx/snippets/ssl-params.conf
填入
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /usr/local/etc/ssl/certs/dhparam.pem;填入
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
proxy_http_version 1.1;
# configure nginx server to redirect to HTTPS
server {
listen 1337;
server_name localhost;
return 302 https://$server_name:7332$request_uri;
}
# configure nginx server with ssl
server {
listen 1338 ssl http2;
server_name localhost;
include snippets/self-signed.conf;
include snippets/ssl-params.conf;
# route requests to the local development server
location / {
proxy_pass http://localhost:8080/;
}
}
include servers/*;
}https://blog.gtwang.org/linux/nginx-create-and-install-ssl-certificate-on-ubuntu-linux/
No comments:
Post a Comment