1. openssl版本升级
#tar-xvf openssl-3.0.2.tar.gz#cdopenssl-3.0.2.tar.gz
#./config # 有指定路径的加--prefix=
# 编译完成后有提示If you arenew to OpenSSL, you might want to consult the'Troubleshooting',#make& make install
# 这个时候输入 openssl version 提示error:errorwhile loading shared libraries: libssl.so.1.1: cannot open shared object file: No such fileor directory
# 修改软连接#ln-s/usr/local/lib64/libssl.so.1.1/usr/lib64/#ln-s/usr/local/lib64/libcrypto.so.1.1/usr/lib64/#opensslversion 显示正常
2. nginx重编译
#cdnginx-1.20.2
#./configure--with-http_ssl_module--with-openssl=/data/openssl-3.0.2/ #这里我写的路径是安装包路径,也可以指定默认的安装路径#make& make install#mv/usr/local/nginx/sbin/nginx/usr/local/nginx/sbin/nginx.bakup #备份一下#cpnginx1.21.1/objs/nginx/usr/local/nginx/sbin/nginx #把新编译安装的给拷贝过去
#/usr/local/nginx/sbin/./nginx-V 再看一下
# 普通用户启动443端口会报错,可执行:#setcapcap_net_bind_service=+eip./nginx #颜色会变为红色
3. ssl自定义证书
# 生成key:#mkdir/usr/local/openssl#cd/usr/local/openssl#opensslgenrsa-des3-out nginx.key1024
# 自定义key密码。nginx使用重启时,会要求输入该密码,这里做个删除处理:#mvnginx.key nginx_bak.key #改一下名称#opensslrsa-in nginx_bak.key-out nginx.key
# 根据key生产证书请求文件:#opensslreq-new-key nginx.key-out nginx.csr #会要求填写一些所在城市姓名等内容:#CountryName(2 letter code)[AU]:cn
Stateor ProvinceName(full name)[Some-State]:guangdong
LocalityName(eg, city)[]:guangzhou
OrganizationName(eg, company)[Internet Widgits Pty Ltd]:codsway
Organizational UnitName(eg, section)[]:operation
CommonName(eg, YOUR name)[]:appuser
Email Address[]:1111@163.com
# 生成crt证书:#opensslx509-req-days3650-in nginx.csr-signkey nginx.key-out nginx.crt
4. https配置
server{
listen443 ssl; #前端访问地址443
server_name localhost;
ssl_certificate/usr/local/openssl/nginx.crt;
ssl_certificate_key/usr/local/openssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#用作前端8082地址代理转发为443
location/{
proxy_pass http:}}
