CentOS6+Nginx安装自己发行的SSL
2014年09月07日
在使用phpmyadmin管理数据库时,需要使用SSL链接以保护我们的数据,phpmyadmin基本就几个管理员使用,没有必要购买认证机构的SSL,自己生成就可以了。
生成证书与密钥
cd /etc/pki/tls/certs/ $ sudo make phpmyadmin.crt [sudo] password for user01: umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > phpmyadmin.key Generating RSA private key, 2048 bit long modulus ........................................................................................+++ .....+++ e is 65537 (0x10001) Enter pass phrase: Verifying - Enter pass phrase: umask 77 ; \ /usr/bin/openssl req -utf8 -new -key phpmyadmin.key -x509 -days 365 -out phpmyadmin.crt -set_serial 0 Enter pass phrase for phpmyadmin.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:ShangHai Locality Name (eg, city) [Default City]:ShangHai Organization Name (eg, company) [Default Company Ltd]:Qiai IS Corp. Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []:sai@qiais.com $ ls
此命令会在/etc/pki/tls/certs下生成phpmyadmin.crt与phpmyadmin.key文件。
此步骤中
Enter pass phrase:
要求设置证书密码,请记住此密码,因为下面要用到。
将 phpmyadmin.key 移动到 /etc/pki/tls/private/
$ sudo mv phpmyadmin.key /etc/pki/tls/private/
[/code/
配置到nginx
1
server {
listen 443 ssl;
server_name localhost;
client_max_body_size 8M;
ssl_certificate /etc/pki/tls/certs/phpmyadmin.crt;
ssl_certificate_key /etc/pki/tls/private/phpmyadmin.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /home/sai/public_html/phpmyadmin;
index index.php;
}
location ~ \.php$ {
root /home/user01/public_html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server_name localhost;此处localhost换成自己的域名,例如,phpmyadmin.example.com
root /home/user01/public_html;为phpmyadmin的目录
listen 443 ssl;监听ssl端口 443,同时不要忘了在iptables中打开443端口
从新启动nginx, 这里会要求输入证书生成时的密码。
$ sudo /etc/rc.d/init.d/nginx restart
Enter PEM pass phrase:
Stopping nginx: [ OK ]
Starting nginx: Enter PEM pass phrase:
[ OK ]
$ cd /etc/pk
每次启动nginx都需要输入ssl证书密码的话比较烦人,我们将key的pass phrase删除掉,这样重启时就不需要输入le。
$ cd /etc/pki/tls/private/ $ ls phpmyadmin.key $ sudo cp phpmyadmin.key phpmyadmin.key.bak $ sudo openssl rsa -in phpmyadmin.key -out phpmyadmin.key Enter pass phrase for phpmyadmin.key: writing RSA key $
通过https访问我们的站点,可以看到如下界面,不用在意https处的横杠与错号,因为这是我们自己发行的SSL证书。
