Настройка Nginx+SSL на Centos 6/7
Имеем три виртуальных хоста и хост по умолчанию(“заглушка”)
вирт.хосты
joomla.us
wordpress.us
kamaok.us
Хост по умолчанию=имя сервера(app01.kamaok.org.ua)
1.Генерирование сертификатов для всех вирт.хостов
1 |
# mkdir /etc/nginx/ssl |
1 |
# cd /etc/nginx/ssl |
1 |
# openssl req -new -x509 -days 3650 -nodes -out app01.kamaok.org.ua.pem -keyout app01.kamaok.org.ua.key |
1 |
# openssl req -new -x509 -days 3650 -nodes -out joomla.us.pem -keyout joomla.us.key |
1 |
# openssl req -new -x509 -days 3650 -nodes -out wordpress.us.pem -keyout wordpress.us.key |
1 |
# openssl req -new -x509 -days 3650 -nodes -out kamaok.us.pem -keyout kamaok.us.key |
1 |
# chown -R nginx:root /etc/nginx/ssl/ |
1 |
# chmod -R 700 /etc/nginx/ssl |
2.Настройка Nginx для поддержки SSL
1 |
# nano /etc/nginx/ssl.conf |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
ssl_session_cache shared:SSL:20m; ssl_session_timeout 1d; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_dhparam /etc/nginx/ssl/dhparam.pem; # ssl_ecdh_curve secp521r1; ## Improves TTFB by using a smaller SSL buffer than the nginx default ssl_buffer_size 8k; ## Enables OCSP stapling ssl_stapling on; resolver 8.8.8.8; ssl_stapling_verify on; ## Send header to tell the browser to prefer https to http traffic #add_header Strict-Transport-Security max-age=31536000; |
Создаем ключ Диффи-Хельмана
1 |
# openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048 |
1 |
# nano /etc/nginx/conf.d/default.conf |
1 2 3 4 5 6 7 8 9 |
server { listen :80 default_server; listen :443 ssl default_server; server_name localhost; ssl_certificate /etc/nginx/ssl/app01.kamaok.org.ua.pem; ssl_certificate_key /etc/nginx/ssl/app01.kamaok.org.ua.key; include /etc/nginx/ssl.conf; …………… } |
1 |
# nano /etc/nginx/conf.d/joomla.conf |
1 2 3 4 5 6 7 8 9 |
server { listen :80; listen :443 ssl; server_name joomla.us *.joomla.us; ssl_certificate /etc/nginx/ssl/joomla.us.pem; ssl_certificate_key /etc/nginx/ssl/joomla.us.key; include /etc/nginx/ssl.conf; ………… } |
1 |
# nano /etc/nginx/conf.d/wordpress.conf |
1 2 3 4 5 6 7 8 9 |
server { listen :80; listen :443 ssl; server_name wordpress.us *.wordpress.us; ssl_certificate /etc/nginx/ssl/wordpress.us.pem; ssl_certificate_key /etc/nginx/ssl/wordpress.us.key; include /etc/nginx/ssl.conf; …………… } |
1 |
# nano /etc/nginx/conf.d/kamaok.conf |
1 2 3 4 5 6 7 8 9 |
server { listen :80; listen :443 ssl; server_name kamaok.us *.kamaok.us; ssl_certificate /etc/nginx/ssl/kamaok.us.pem; ssl_certificate_key /etc/nginx/ssl/kamaok.us.key; include /etc/nginx/ssl.conf; …………… } |
3.Проверка синтаксиса Nginx и его перезапуск
1 |
# nginx -t |
1 2 |
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful |
Centos 7
1 |
# systemctl reload nginx |
Centos 6
1 |
# service nginx reload (/etc/init.d/nginx reload) |
4.Если необходимо использовать принудительное перенаправление с http на https, тогда используем следующую конструкцию, например, для сайта joomla.us
1 2 3 4 5 6 7 8 9 10 11 12 13 |
server { listen :80; server_name joomla.us www.joomla.us; return 301 https://$host$request_uri; } server { listen :443 ssl; server_name joomla.us www.joomla.us; ssl_certificate /etc/nginx/ssl/app01.kamaok.org.ua.pem; ssl_certificate_key /etc/nginx/ssl/app01.kamaok.org.ua.key; include /etc/nginx/ssl.conf; .................. } |