1、Winodw安装openssl工具(生成SSL证书用的)免编译版本下载:

http://slproweb.com/products/Win32OpenSSL.html

注意:如果openssl在使用过程中报无法读取conf文件,重启下电脑就好了

Cmd里面的全部命令:

C:\OpenSSL-Win64>cd bin

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out ssd.key 1024

Generating RSA private key, 1024 bit long modulus

....++++++

........++++++

e is 65537 (0x10001)

Enter pass phrase for ssd.key:    ---123456

Verifying - Enter pass phrase for ssd.key:  ---123456

C:\OpenSSL-Win64\bin>openssl req -new -key ssd.key -out ssd.csr

Enter pass phrase for ssd.key:   ---123456

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:guangdong

Locality Name (eg, city) []:zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

Organizational Unit Name (eg, section) []:ssd

Common Name (e.g. server FQDN or YOUR name) []:yuange

Email Address []:1871707128@qq.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:ssd

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -shal -extensions v3_ca -sign

key ssd.key -in ssd.csr -out ssd.crt

unknown option -shal             ----这里面错的原因是:sha1不是shal

usage: x509 args

-inform arg     - input format - default PEM (one of DER, NET or PEM)

-outform arg    - output format - default PEM (one of DER, NET or PEM)

-keyform arg    - private key format - default PEM

-CAform arg     - CA format - default PEM

-CAkeyform arg  - CA key format - default PEM

-in arg         - input file - default stdin

-out arg        - output file - default stdout

-passin arg     - private key password source

-serial         - print serial number value

-subject_hash   - print subject hash value

-subject_hash_old   - print old-style (MD5) subject hash value

-issuer_hash    - print issuer hash value

-issuer_hash_old    - print old-style (MD5) issuer hash value

-hash           - synonym for -subject_hash

-subject        - print subject DN

-issuer         - print issuer DN

-email          - print email address(es)

-startdate      - notBefore field

-enddate        - notAfter field

-purpose        - print out certificate purposes

-dates          - both Before and After dates

-modulus        - print the RSA key modulus

-pubkey         - output the public key

-fingerprint    - print the certificate fingerprint

-alias          - output certificate alias

-noout          - no certificate output

-ocspid         - print OCSP hash values for the subject name and public key

-ocsp_uri       - print OCSP Responder URL(s)

-trustout       - output a "trusted" certificate

-clrtrust       - clear all trusted purposes

-clrreject      - clear all rejected purposes

-addtrust arg   - trust certificate for a given purpose

-addreject arg  - reject certificate for a given purpose

-setalias arg   - set certificate alias

-days arg       - How long till expiry of a signed certificate - def 30 days

-checkend arg   - check whether the cert expires in the next arg seconds

exit 1 if so, 0 if not

-signkey arg    - self sign cert with arg

-x509toreq      - output a certification request object

-req            - input is a certificate request, sign and output.

-CA arg         - set the CA certificate, must be PEM format.

-CAkey arg      - set the CA key, must be PEM format

missing, it is assumed to be in the CA file.

-CAcreateserial - create serial number file if it does not exist

-CAserial arg   - serial file

-set_serial     - serial number to use

-text           - print the certificate in text form

-C              - print out C code forms

-md2/-md5/-sha1/-mdc2 - digest to use

-extfile        - configuration file with X509V3 extensions to add

-extensions     - section from config file with X509V3 extensions to add

-clrext         - delete extensions before signing and input certificate

-nameopt arg    - various certificate name options

-engine e       - use engine e, possibly a hardware device.

-certopt arg    - various certificate text options

-checkhost host - check certificate matches "host"

-checkemail email - check certificate matches "email"

-checkip ipaddr - check certificate matches "ipaddr"

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500  -extensions v3_ca -signkey s

sd.key -in ssd.csr -out ssd.crt

Signature ok

subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

28@qq.com

Getting Private key      --123456

Enter pass phrase for ssd.key:    --123456

C:\OpenSSL-Win64\bin>openssl genrsa -des3 -out server.key 2048

Generating RSA private key, 2048 bit long modulus

.........................................+++

...+++

e is 65537 (0x10001)

Enter pass phrase for server.key:  ---123456

Verifying - Enter pass phrase for server.key:  ---123456

C:\OpenSSL-Win64\bin>openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:   ---123456

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:cn

State or Province Name (full name) [Some-State]:guangdong

Locality Name (eg, city) []:zhuhai

Organization Name (eg, company) [Internet Widgits Pty Ltd]:ssd

Organizational Unit Name (eg, section) []:ssd

Common Name (e.g. server FQDN or YOUR name) []:yuange

Email Address []:1871707128@qq.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:ssd

C:\OpenSSL-Win64\bin>openssl x509 -req -days 36500 -md5 -extensions v3_req -CA s

sd.crt -CAkey ssd.key -CAcreateserial -in server.csr -out server.crt

Signature ok

subject=/C=cn/ST=guangdong/L=zhuhai/O=ssd/OU=ssd/CN=yuange/emailAddress=18717071

28@qq.com

Getting CA Private Key   ---123456

Enter pass phrase for ssd.key:  ---123456

以上的密码全部都是123456

注意:以上生成的证书保存在openssl/bin目录下,然后把生成的证书拷贝到nginx/conf的目录下,在这里面我只拷贝了server.crt  、server.key

2、什么都配置好后发现:

Nginx -t 编译成功,但是运行的时候就自动关闭了,查看日志的时候报错了:

查了好久,终于知道了原因:

Windows下的nginx配置ssl的key是不能存储密码的,否则就会报这个错

解决办法:

在cmd中cd 到openssl/bin的目录下,输入:

Openssl rsa -in  C:\OpenSSL-Win64\bin\server.key  -out c:/server.key.unsecure

输入server.key当初设置的密码,这里面是123456

然后在C根目录下可以看到:成功

把server.key.unsecure替换在nginx.conf文件中的server.key内容  即可

3、配置nginx.conf

 #使用的用户和组,window下不指定

 #user nobody;

 #指定工作衍生进程数(一般等于CPU总和数或总和数的两倍,例如两个四核CPU,则总和数为8)

 worker_processes 3;

 #指定错误日志文件存放路径,错误日志级别可选项为【debug|info|notice|warn|error|crit】

 #error_log logs/error.log;

 #error_log logs/error.log notice;

 error_log logs/error.log info;

 #指定pid存放路径

 #pid logs/nginx.pid; 

 #工作模式及连接数上限

 events {

 #使用网络I/O模型,Linux系统推荐使用epoll模型,FreeBSD系统推荐使用kqueue;window下不指定

 #use epoll;

 #允许的连接数

 worker_connections 1024;

 } 

 #设定http服务器,利用他的反向代理功能提供负载均衡支持

 http {

 #设定mime类型

 include mime.types;

 default_type application/octet-stream;

 #设定日志格式

 #log_format main '$remote_addr - $remote_user [$time_local] "$request" '

 # '$status $body_bytes_sent "$http_referer" '

 # '"$http_user_agent" "$http_x_forwarded_for"'; 

 #设定请求缓冲

 client_header_buffer_size 1k;

 large_client_header_buffers 4 4k; 

 #设定access log

 #access_log logs/access.log main;

 client_header_timeout 3m;

 client_body_timeout 3m;

 send_timeout 3m; 

 sendfile on;

 tcp_nopush on;

 tcp_nodelay on;

 #keepalive_timeout 0;

 keepalive_timeout 65; 

 #开启gzip模块

 gzip on;

 gzip_min_length 1100;

 gzip_buffers 4 8k;

 gzip_types text/plain application/x-javascript text/css application/xml; 

 output_buffers 1 32k;

 postpone_output 1460; 

 server_names_hash_bucket_size 128;

 client_max_body_size 8m; 

 fastcgi_connect_timeout 300;

 fastcgi_send_timeout 300;

 fastcgi_read_timeout 300;

 fastcgi_buffer_size 64k;

 fastcgi_buffers 4 64k;

 fastcgi_busy_buffers_size 128k;

 fastcgi_temp_file_write_size 128k;

 gzip_http_version 1.1;

 gzip_comp_level 2;

 gzip_vary on; 

 #设定负载均衡的服务器列表

 upstream url{

 #根据ip计算将请求分配各那个后端tomcat,可以解决session问题

 #ip_hash;

 #同一机器在多网情况下,路由切换,ip可能不同

 #weigth参数表示权值,权值越高被分配到的几率越大

 #server localhost:8080 weight=1;

 #server 10.152.252.160:8443 weight=2;

 #server 10.152.252.162:8443 weight=20;

 server 10.152.252.160:8443 max_fails=2 fail_timeout=600s;

 server 10.152.252.162:8443 max_fails=2 fail_timeout=600s;

 } 

 #设定虚拟主机

 server {

 listen 8080;

 #server_name 10.152.252.160; 

 #proxy_pass https://url;

 rewrite ^(.*)$ https://$host:8443$1 permanent;

 #charset koi8-r;

 charset UTF-8;

 #设定本虚拟主机的访问日志

 #access_log logs/host.access.log main;

 #error_page 404 /404.html; 

 # redirect server error pages to the static page /50x.html

 #

 error_page 500 502 503 504 /50x.html;

 location = /50x.html {

 root html;

 }

 }

 # HTTPS server

 server {

  listen 443;

  listen 8444;

  server_name 10.152.252.160; 

  ssl on;

  ssl_certificate server.crt;

  ssl_certificate_key server.key.unsecure; 

  ssl_session_timeout 5m; 

  ssl_protocols SSLv2 SSLv3 TLSv1;

  ssl_ciphers HIGH:!aNULL:!MD5;

  ssl_prefer_server_ciphers on; 

  location / {

  root html;

  index index.html index.htm;

  proxy_redirect off;

  #保留用户真实信息

  proxy_set_header Host $host;

  proxy_set_header X-Real-IP $remote_addr;

  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  proxy_next_upstream error timeout invalid_header http_500 http_503 http_404;

  proxy_max_temp_file_size 128m; 

  proxy_pass https://url;

  }

 }

 }

nginx 配置https 负载均衡的更多相关文章

  1. office web apps安装部署,配置https,负载均衡(七)配置过程中遇到的问题详细解答

    该篇文章,是这个系列文章的最后一篇文章,该篇文章将详细解答owa在安装过程中常见的问题. 如果您没有搭建好office web apps,您可以查看前面的一系列文章,查看具体步骤: office we ...

  2. office web apps安装部署,配置https,负载均衡(六)配置负载均衡

    owa可以采用任何的负载均衡方案,我们这里采用阿里云提供的负载均衡解决方案 前提条件,你已经配置了一台域控制器,两台域服务器[即安装了owa相关软件,并将计算机隶属于域]: 如果您不清楚怎么做,那么请 ...

  3. office web apps安装部署,配置https,负载均衡(五)配置服务器场

    前提条件:您已经完成了域控制器的配置,拥有域账号,并且已经安装了OWA启动所需要的必要软件: 具体步骤可以参考: office web apps安装部署,配置https,负载均衡(一)背景介绍 off ...

  4. office web apps安装部署,配置https,负载均衡(四)安装office web apps相关软件

    前提条件: 1.一台windows server 2008R2服务器,并且已经配置了域: 服务器连接域控制器的相关文档,请查看上一篇文章: office web apps安装部署,配置https,负载 ...

  5. office web apps安装部署,配置https,负载均衡(三)服务器连接域控制器

    前提条件:1>一台window server 2008R2 服务器 2>您已经在同一内网的另外一台服务器上安装好了域控制器文档请看我写的另外一篇文章: office web apps安装部 ...

  6. 使用nginx+docker配置https负载均衡

    了解Docker Docker是一个golang编写的开源轻量级的.可移植的.自给自足的容器,Docker主要应用在以下场景: web应用的自动化打包和发布: 自动化测试和持续集成.发布: 在服务型环 ...

  7. Nginx配置之负载均衡、限流、缓存、黑名单和灰度发布

    一.Nginx安装(基于CentOS 6.5) 1.yum命令安装 yum install nginx –y(若不能安装,执行命令yum install epel-release) 2. 启动.停止和 ...

  8. Nginx配置及负载均衡

    转载:http://www.cnblogs.com/jingmoxukong/p/5945200.html nginx简易教程   目录 Nginx  概述  安装与使用  nginx 配置实战  参 ...

  9. nginx配置优化+负载均衡+动静分离详解

    nginx配置如下: #指定nginx进程运行用户以及用户组user www www;#nginx要开启的进程数为8worker_processes 8;#全局错误日志文件#debug输出日志最为详细 ...

随机推荐

  1. 使用WebGL加载Google街景图

    我们要实现的功能比较简单:首先通过坐标定位.我的位置.地址搜索等方式,调用google map api获取地址信息.然后根据地址信息中的全景信息获取当前缩放级别的全景信息.最终把这些全景信息通过Web ...

  2. 每天一道Java题[2]

    问题 可以直接根据hashCode()方法产生的值判断两个对象是否相等吗? 解答 不能!根据Wikipedia(https://en.wikipedia.org/wiki/Java_hashCode( ...

  3. C# 中直接调用js方法

    请注意,我这段代码中实现js方法中有 funcName(argument) 这种一个入参的调用. using System; namespace game2_36.Common { public cl ...

  4. Win下安装MySQL 5.6

    最近身边有人要win下安装mysql 去学习数据库,问我如何安装MySQL,其实win 下安装要比Linux简单的多,直接运行安装包下一步安装即可. 1.首先我们运行mysql-installer-c ...

  5. Mac OS 安装 Git 环境

    1. 在mac的终端上,输入git会提示安装git软件,确认安装.安装完成后打开终端,使用git --version或者which git命令查看安装版本,有就是安装成功了. 2. 创建一个全局用户名 ...

  6. h5分享页面打开APP

    项目中 直播app分享出来的直播h5页面 点击进入按钮:已下载app 就进入app,未下载跳转到下载页面 判断是安卓还是ios var u = navigator.userAgent; var isA ...

  7. JS代码整洁随笔

    // 之前都是这么写:使用undefined和null来检测一个属性是否存在 if (obj['name'] !== undefined) { console.log('name属性存在'); // ...

  8. 【试验局】ReentrantLock中非公平锁与公平锁的性能测试

    硬件环境: CPU:AMD Phenom(tm) II X4 955 Processor Memory:8G SSD(128G):/ HDD(1T):/home/ 软件环境: OS:Ubuntu14. ...

  9. 详解Linux进程(作业)的查看和杀死

    目录: 引入进程 进程 线程 PS命令 TOP命令 其他查看进程命令 进程的优先级 作业控制机制 kill命令 一.引入进程 1.内存划分为:用户空间和内核空间 1.在用户空间里运行的进程,就是用户进 ...

  10. 使用 zabbix 自动发现监控 MySQL

    介绍 使用 zabbix 的 low-level 自动发现功能完成单主机多端口的监控, 详见low_level_discovery, 整体上监控类似 percona 的 zabbix 监控插件, 不过 ...