1. 安装 nginx
1.1 nginx 包及其依赖包下载
出于模块的依赖性,Nginx 依赖以下三个包:- gzip 模块需要 zlib 库(http://www.zlib.net/);
- rewrite 模块需要 pcre 库(http://www.pcre.org/);
- ssl 功能需要 openssl 库(http://www.openssl.org/);
依赖包安装次序为:openssl、zlib、pcre,最后安装 Nginx 包。
1.2 nginx 包及其依赖包安装
1.2.1 安装 openssl
$ tar -zxvf openssl-fips-2.0.9.tar.gz$ cd openssl-fips-2.0.9
$ ./config
$ make
$ sudo make install
1.2.2 安装 zlib
$ tar -zxvf zlib-1.2.8.tar.gz$ cd zlib-1.2.8
$ ./configure
$ make
$ sudo make install
1.2.3 安装 pcre
$ tar -zxvf pcre-8.36.tar.gz$ cd pcre-8.36
$ ./configure
$ make
$ sudo make install
1.2.4 安装 nginx
$ tar -zxvf nginx-1.7.10.tar.gz$ cd nginx-1.7.10
$ ./configure --with-pcre=../pcre-8.36 --with-zlib=../zlib-1.2.8 --with-openssl=../openssl-fips-2.0.9
$ make
$ sudo make install
nginx 被默认安装在 /usr/local/nginx 目录。
1.3 验证 Nginx 是否安装成功
$ sudo /usr/local/nginx/sbin/nginx -tnginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
证明 Nginx 安装成功。
2. SSL 服务器 / 客户端双向验证证书的生成
2.1 创建一个新的 CA 根证书
在 nginx 安装目录下新建 ca 文件夹,进入 ca,创建几个子文件夹:$ sudo mkdir ca
$ cd ca
$ sudo mkdir newcerts private conf server
newcerts 子目录将用于存放 CA 签署过的数字证书(证书备份目录);private 用于存放 CA 的私钥;conf 目录用于存放一些简化参数用的配置文件;server 存放服务器证书文件。
2.1.1 conf 目录新建 openssl.conf 文件
编辑其内容如下:[ ca ]
default_ca = foo # The default ca section
[ foo ]
dir = /usr/local/nginx/ca # top dir
database = /usr/local/nginx/ca/index.txt # index file.
new_certs_dir = /usr/local/nginx/ca/newcerts # new certs dir
certificate = /usr/local/nginx/ca/private/ca.crt # The CA cert
serial = /usr/local/nginx/ca/serial # serial no file
private_key = /usr/local/nginx/ca/private/ca.key # CA private key
RANDFILE = /usr/local/nginx/ca/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
2.1.2 生成私钥 key 文件
$ cd /usr/local/nginx/ca$ sudo openssl genrsa -out private/ca.key
输出
Generating RSA private key, 512 bit long modulus
..++++++++++++
.++++++++++++
e is 65537 (0x10001)
private 目录下有 ca.key 文件生成。
博主 20150520 加注:openssl 默认生成 512 位的。一般是用 2048 位的。