nginx平滑升级添加ssl实现站内https,nginxssl站内https


nginx平滑升级添加ssl实现站内https




一、nginx动态增加编译模块


1.使用参数重新配置


nginx -V 查看目前nginx编译选项


[root@iZwz966hn1pkophvqb3obgZ nginx-1.4.4]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre


然后在新版本nginx下 执行
./configure --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module




2.编译安装
make
注意:编译,不要不要不要makeinstall,否则这里就变成了覆盖安装。

之后会看在当前目录生成objs文件,执行可以看到新nginx的编译参数。

#./objs/nginx -V
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module


3.备份并替换老版本的文件
备份

# mv /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak


替换
# cp ./objs/nginx /usr/local/nginx/sbin/nginx

检查

/usr/local/nginx/sbin/nginx -t
[root@iZwz966hn1pkophvqb3obgZ nginx-1.4.4]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.4.4
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_realip_module --with-http_sub_module --with-http_gzip_static_module --with-http_stub_status_module --with-pcre --with-http_ssl_module


二、搭建https

1.贴一段服务器配置

vim ssl.conf

server
{
    listen 443;
    server_name ceshi.guiren123.com;
    ssl on;
    root /data/wordpress;
    index index.html index.htm index.php;
    ssl_certificate   /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.pem;
    ssl_certificate_key  /usr/local/nginx/cert/ceshi_guiren123_com_ssl/214186100710218.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    access_log /tmp/guiren123-access.log xingcheng;
    error_log /tmp/guiren123-error.log;


    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_pass unix:/tmp/php-fcgi.sock;
        #fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        access_log /tmp/wordpress_access.log xingcheng;
        fastcgi_param SCRIPT_FILENAME /data/wordpress$fastcgi_script_name;


注意:当配置多个ssl虚拟主机的时候,可以通过监听多个端口来实现。

如果出现无法访问需要注意下iptables和安全组。


参考:

https://segmentfault.com/a/1190000004232801

http://blog.chinaunix.net/uid-24625974-id-2894092.html


相关内容

    暂无相关文章