Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Nginx配置多个HTTPS域名 #6

Open
johnnian opened this issue Jun 29, 2017 · 2 comments
Open

Nginx配置多个HTTPS域名 #6

johnnian opened this issue Jun 29, 2017 · 2 comments
Labels

Comments

@johnnian
Copy link
Owner

johnnian commented Jun 29, 2017

最近在玩微信小程序,手头有:

  • 一台云服务器:CentOS 7.4
  • 多个一级域名

开发测试过程中,因为某些原因,想要让手头的A、B域名同时指向云服务器的443端口,支持HTTPS。

Nginx支持TLS协议的SNI扩展(同一个IP上可以支持多个不同证书的域名),只需要重新安装Nginx,使其支持TLS即可。

安装Nginx

[root@ localhost ~]#  wget https://www.openssl.org/source/openssl-1.0.2n.tar.gz
[root@ localhost ~]#  tar zxvf openssl-1.0.2n.tar.gz
[root@ localhost ~]# wget http://nginx.org/download/nginx-1.12.0.tar.gz
[root@ localhost ~]# tar zxvf nginx-1.12.0.tar.gz
[root@ localhost ~]# yum -y install zlib zlib-devel openssl openssl--devel pcre pcre-devel
[root@ localhost ~]# cd nginx-1.12.0
[root@ localhost nginx-1.12.0]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \
--with-openssl=../openssl-1.0.2n \
--with-openssl-opt="enable-tlsext"
[root@ localhost nginx-1.12.0]# make &&  make install

安装好的路径: /usr/local/nginx

备注:在安装的过程中发现,云服务器的环境中缺少一些库,下载后,重新执行Nginx的./configure指令,具体操作如下:

[root@ localhost ~]#   wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz
[root@ localhost ~]#   tar zxvf pcre-8.35
[root@ localhost ~]#   yum -y install gcc
[root@ localhost ~]#   yum -y install gcc-c++
[root@ localhost ~]#   yum install -y zlib-devel

[root@ localhost ~]#   ./configure --prefix=/usr/local/nginx --with-http_ssl_module \
--with-openssl=../openssl-1.0.2n \
--with-openssl-opt="enable-tlsext" \
--with-pcre=../pcre-8.35
[root@ localhost nginx-1.12.0]# make &&  make install

配置Nginx

在购买域名的时候,如果域名提供商有免费的SSL证书,就直接用;如果没有的话,可以使用 Let's Encript 生成免费的CA证书。

打开Nginx的配置:

[root@ localhost ~]# vi /usr/local/nginx/nginx.conf
	...
	server {
		listen       443 ssl;
		#listen       [::]:443 ssl;
		server_name  abc.com;
		root         /usr/share/nginx/html;
		
		ssl_certificate "/root/keys/abc.com.pem";
		ssl_certificate_key "/root/keys/abc.com.private.pem";
		include /etc/nginx/default.d/*.conf;
		
		location / {
		}
		error_page 404 /404.html;
		    location = /40x.html {
		}
		error_page 500 502 503 504 /50x.html;
		    location = /50x.html {
		}
	}
	
	server {
		listen       443 ssl;
		#listen       [::]:443 ssl;
		server_name  def.com;
		root         /usr/share/nginx/html;
		
		ssl_certificate "/root/keys/def.com.pem";
		ssl_certificate_key "/root/keys/def.com.private.pem";
		include /etc/nginx/default.d/*.conf;
		
		location / {
		}
		error_page 404 /404.html;
		    location = /40x.html {
		}
		error_page 500 502 503 504 /50x.html;
		    location = /50x.html {
		}
	}
     
	

配置完成后,重新加载Ngixn:

[root@ localhost ~]#  nginx -s reload

申请免费的CA证书

对于没有SSL证书的情况,可以用下面的方法免费获得CA证书——Let's Encript。

步骤1: 安装 Let's Encrypt 官方客户端——CetBot

使用certbot-auto脚本安装

[root@ localhost ~]#  wget https://dl.eff.org/certbot-auto
[root@ localhost ~]#  chmod a+x certbot-auto

步骤2: 配置Nginx的配置文件,在 Server 模块(监听80端口的)添加下面配置:

CertBot在验证服务器域名的时候,会生成一个随机文件,然后CertBot的服务器会通过HTTP访问你的这个文件,因此要确保你的Nginx配置好,以便可以访问到这个文件。

server {
  	listen       80 default_server;
  	
  	...
  	
	location ^~ /.well-known/acme-challenge/ {   
		default_type "text/plain";   
		root     /usr/share/nginx/html;
	}
	
	location = /.well-known/acme-challenge/ {   
		return 404;
	}
}

重新加载Nginx: nginx -s reload

步骤3: 申请SSL证书

[root@ localhost~ ]# ./certbot-auto certonly --webroot -w /usr/share/nginx/html/ -d your.domain.com

安装过程中,会提示输入邮箱,用于更新CA证书的。

安装成功后,默认会在 /etc/letsencrypt/live/your.domain.com/ 会生成CA证书。

|-- fullchain.pem 
|-- privkey.pem

步骤4: 配置Nginx

server {
	listen       443 ssl;
	listen       [::]:443 ssl;
	server_name  def.com;
	root         /usr/share/nginx/html;
	
	ssl_certificate "/etc/letsencrypt/live/your.domain.com/fullchain.pem";
	ssl_certificate_key "/etc/letsencrypt/live/your.domain.com/privkey.pem";
	include /etc/nginx/default.d/*.conf;
	
	location / {
	}
	error_page 404 /404.html;
	    location = /40x.html {
	}
	error_page 500 502 503 504 /50x.html;
	    location = /50x.html {
	}
}

配置完,重新加载Nginx

步骤5: 自动更新证书

在命令行先进行模拟更新证书

./certbot-auto  renew --dry-run

如果模拟更新成功,则 使用 crontab -e 命令来启用自动更新任务:

[root]# crontab -e

30 2 * * 1 /root/certbot-auto renew  >> /var/log/le-renew.log

相关参考

@kk-cwh
Copy link

kk-cwh commented Apr 25, 2018

配置了两个https, chrome浏览器访问其中一个不行报ERR_SSL_PROTOCOL_ERROR错误, safari浏览器两个都可以访问 网上的解决办法都试过 不行 求解答????

@johnnian
Copy link
Owner Author

johnnian commented Apr 26, 2018

@zhangyake 你试试,这些可以解决吗?我这边是没有遇到这些问题。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants