


先日、CentOS 7にnginxをインストールしてみました。
今回は試しにローカル証明書を作成してSSL(https)の設定をしてみます。
Configuring HTTPS servers
http://nginx.org/en/docs/http/configuring_https_servers.html#single_http_https_server
- 秘密鍵の作成
- csrの作成
- 証明書の発行
- nginxの設定ファイルの編集
- nginx reload
- firewalldの設定
1 2 3 4 5 6 7 |
# mkdir /etc/nginx/ssl # cd /etc/nginx/ssl # openssl genrsa -out rootlinks.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ ..............+++ e is 65537 (0x10001) |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
# openssl req -new -key rootlinks.key -out rootlinks.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:JP State or Province Name (full name) []:Tokyo Locality Name (eg, city) [Default City]:Chiyoda Organization Name (eg, company) [Default Company Ltd]:RootLinks Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:www2.rootlinks.net Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: |
1 2 3 4 5 6 7 8 9 10 |
# openssl x509 -req -in rootlinks.csr -signkey rootlinks.key -out rootlinks.crt -days 365 Signature ok subject=/C=JP/ST=Tokyo/L=Chiyoda/O=RootLinks/CN=www2.rootlinks.net Getting Private key # ls -l total 12 -rw-r--r--. 1 root root 1184 Sep 21 15:34 rootlinks.crt -rw-r--r--. 1 root root 993 Sep 21 15:24 rootlinks.csr -rw-r--r--. 1 root root 1675 Sep 21 15:18 rootlinks.key |
デフォルトサイトの設定ファイル/etc/nginx/conf.d/default.confを編集します。
1 2 3 4 5 6 7 8 9 |
# vi /etc/nginx/conf.d/default.conf # cat /etc/nginx/conf.d/default.conf server { listen 80; listen 443 ssl; ssl_certificate /etc/nginx/ssl/rootlinks.crt; ssl_certificate_key /etc/nginx/ssl/rootlinks.key; server_name localhost; (snip) |
1 |
# systemctl reload nginx |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
# firewall-cmd --permanent --add-service=https success # firewall-cmd --reload success # firewall-cmd --list-all public (active) target: default icmp-block-inversion: no interfaces: ens33 sources: services: ssh dhcpv6-client http https ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules: |
これでhttp,httpsどちらでもアクセスできるようになりました。