linux7.6 install nginx and configure https using the certificate generated by java8 (beginners can understand!!!)


Generally speaking, there are three steps: 1 Installing nginx, 2 Using java to generate certificates, 3 Configure https using nginx

1. In Linux 7 Installing nginx in 6

Download nginx

Download address: Download address of nginx official website

Upload to the server and unzip

tar -zxvf nginx-1.9.9.tar.gz
# Change the folder name to nginx
mv nginx-1.9.9 nginx

Use nginx default configuration Compile and install

Enter nginx installation directory

./configure
make
make install

start nginx

After the above command is executed, enter the sbin directory of nginx and execute the following command to run nginx

./nginx

Enter the ip address of the server in the browser Check whether there is' Welcome to nginx! ', If there is, the startup is successful
Let's start configuring https with nginx

Check whether nginx has ssl module

In the sbin directory, execute the following command

./nginx -V

If configure arguments: does not appear, there is no ssl module Next, start installing the ssl module

Install ssl module

Go back to the nginx root directory and execute the following command:

./configure --with-http_ssl_module

Then execute the following command, recompile and run

make
make install

Then restart nginx

./sbin/nginx -s reload

Finally, check whether there is ssl module in the configuration

./sbin/nginx -V

Appear/ sbin/nginx -s reload indicates that ssl installation is successful


The following describes how to generate certificates using java 8

2. Generate certificate using java

cd to the bin directory of jkd directory Find keytool Exe tool, run cmd command in bin directory:

keytool -genkey -v -alias XXX -keyalg RSA -keystore d:\XXX.keystore -validity 3650

Where XXX is the site domain name or IP, - keystore D: \ XXX Keystore is the target path to generate the certificate, and 3650 is the number of days the certificate is valid,

Fill in the password of the secret key library, and enter the last name (site domain name), unit name, organization name, city name, provincial and municipal name, and country code (CN). After confirmation, it will be in the path D: \ XXX Keystore generates a certificate file
If the following warning appears, execute the command it prompts:

Warning:
JKS The keystore uses a private format. Recommended use "keytool -importkeystore -srckeystore d:\XXX.keystore -destkeystore d:\XXX.keystore -deststoretype pkcs12" Migrate to industry standard format PKCS12.

Check whether XXX has been generated on disk D Keystore, if generated, now use nginx to configure https

3. Configure https with nginx

Convert certificate to pem

Since the certificate generated above is for tomcat, it needs to be converted into all PEM format certificates of nginx Download JKS2PFX conversion tool
This converter Baidu many, direct Baidu 'JKS2PFX' download decompression can
Enter JKS2PFX directory and run

JKS2PFX.bat d:\XXX.keystore feihaohan XXX XXX

Where XXX is the site domain name or IP address
Enter the export password in the Three files will be generated in the root directory: XXX crt,XXX.key,XXX.pfx
Put XXX Change CRT to XXX pem. Upload to linux

nginx configuring https

Go to the conf directory of nginx and put nginx Replace the content of conf with the following

#user  nobody;
worker_processes  2;

error_log  logs/error.log;
error_log  logs/error.log  notice;
error_log  logs/error.log  info;

pid        logs/nginx.pid;


events {
    use epoll;
    worker_connections  1024;
}

worker_rlimit_nofile 65535;

http {
    include       mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  logs/access.log  main;

    server_tokens   off;

    sendfile        on;
    tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;
    underscores_in_headers on;

    #gzip  on;

    include /usr/local/nginx/conf.d/*.conf;
}

Among them, create a new directory / usr/local/nginx/conf.d, and 443.0 in this directory Conf and 80 conf

The contents of 443.conf file are as follows:

upstream my_443 {
	ip_hash;
	# load balancing 
	server  127.0.0.1:8600 weight=1;
#	server  127.0.0.1:8601 weight=1;
}

server {  
    listen 443;  
    server_name XXX; # Your domain name or IP address for which you have applied for the certificate
    client_max_body_size 64M;
    fastcgi_read_timeout 3600;
    error_page   500 502 503 504  /50x.html;
    root   /home/html/443/;
    try_files $uri $uri/ @rewrite;
    ssl on;  
    ssl_certificate /usr/local/nginx/key/XXX.pem; # Certificate pem file, according to the location of your certificate
    ssl_certificate_key /usr/local/nginx/key/XXX.key;   # Certificate key file, according to the location of your certificate
    ssl_session_timeout 5m;  
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Protocol configuration
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;# Kit configuration 
    ssl_prefer_server_ciphers on;
    underscores_in_headers on;
    
    location / {
        proxy_pass http://my_443;

        add_header 'Access-Control-Allow-Origin' '$http_origin';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Allow-Methods' 'GET,PUT,POST,DELETE,OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'Content-Type,*';

	    proxy_http_version 1.1; # Support websocket
	    proxy_set_header Upgrade $http_upgrade;
	    proxy_set_header Connection  "upgrade";
		
        proxy_set_header Host $host;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        Real-Source-IP  $http_real_source_ip;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        X-Forwarded-Proto $scheme;
    }
}

The contents of the 80.conf file are as follows:

server {
    listen       80;
    server_name  localhost;

    # File upload size configuration
    client_max_body_size 100M;

    #charset koi8-r;

    # access_log  logs/host.access.log  main;

    # location / {
    #     root   html;
    #     index  index.html index.htm;
    # }

    error_page  404              /404.html;
    # location = /404.html {
    #     root /usr/local/nginx/html;
    # }
    # redirect server error pages to the static page /50x.html
    #
    error_page   500 502 503 504  /50x.html;
    # location = /50x.html {
    #     root /usr/local/nginx/html;
    # }

    # location ~ .*\.(html|htm|gif|jpg|jpeg|bmp|png|ico|txt|js|css)$ {
    #     proxy_pass   http://my_up_stream;
    # }

    location / {
        root   /home/html/80;
        index  index.html index.htm;
    }
    
    #Automatically jump http requests to https
#    return 301 https://$server_name$request_uri;
}

Create a new directory / home/html/80 in the root directory, and move the html file under the html of the nginx directory to the new directory.
Finally, close nginx and restart nginx

./nginx -s stop
./nginx

Check whether port 80 and port 443 have content in the browser.

This is all done. If it's helpful to you, please praise it ~ thank you for watching

Added by evilgenius on Fri, 14 Jan 2022 03:30:54 +0200

Popular Keywords

©2025 Programming VIP