Configuring HTTPS with Self-Signed SSL Certificates in Nginx
Tools
1
Install Nginx
Ensure Nginx was compiled with the --with-http_ssl_module option. Verify the build configuraton:
root@ecs-7398:/usr/local/nginx# ./sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f 31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module
Generate Certifciate Files
- Create Private Key
root@ecs-7398:/usr/local/nginx# mkdir -p key
root@ecs-7398:/usr/local/nginx# cd key/
root@ecs-7398:/usr/local/nginx/key# openssl genrsa -des3 -out private.pem 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
......+++++
e is 65537 (0x010001)
Enter pass phrase for private.pem: # Set a password, e.g., 123456
Verifying - Enter pass phrase for private.pem: # Confirm password
- Generate CSR (Certificate Signing Request)
root@ecs-7398:/usr/local/nginx/key# openssl req -new -keyfile private.pem -out request.csr
Enter pass phrase for private.pem: # Enter password
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:jiading
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bai
Organizational Unit Name (eg, section) []:zr
Common Name (e.g. server FQDN or YOUR name) []:byc
Email Address []:2123288207@qq.com
Please enter the following 'extra' attributes
To be sent with your certificate request
A challenge password []:123456
An optional company name []:zr
- Create Public Certificate
root@ecs-7398:/usr/local/nginx/key# openssl rsa -in private.pem -out private.pem
Enter pass phrase for private.pem: # Enter password
writing RSA key
root@ecs-7398:/usr/local/nginx/key# openssl x509 -req -days 3650 -in request.csr -signkey private.pem -out public.crt
Signature ok
subject=C = CN, ST = shanghai, L = jiading, O = bai, OU = zr, CN = byc, emailAddress = 2123288207@qq.com
Getting Private key
Configure Nginx for HTTPS
Edit the main configuration file:
root@ecs-7398:/usr/local/nginx# systemctl start nginx
root@ecs-7398:/usr/local/nginx# vim conf/nginx.conf
Udpate the server block to include SSL settings:
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/key/public.crt;
ssl_certificate_key /usr/local/nginx/key/private.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/nginx/html/xiaomi;
index index.html index.htm;
}
}
Test the Setup
root@ecs-7398:~# unzip 小米官网.zip -d /usr/local/nginx/html/xiaomi
root@ecs-7398:~# ls /usr/local/nginx/html/xiaomi/
css iconfont images index.html
Access the site via https://<your-server-ip>:443 in a web browser.
