编译安装nginx，实现多域名 https

一、编译安装nginx

1.1 获取源码包

[root@cetnos7 ~]#wget -O /usr/local/src/nginx-1.18.0.tar.gz http://nginx.org/download/nginx-1.18.0.tar.gz
[root@cetnos7 ~]#cd /usr/local/src/
[root@cetnos7 src]#tar xvf nginx-1.18.0.tar.gz

1.2 准备工作

[root@cetnos7 ~]#yum -y install gcc pcre-devel openssl-devel zlib-devel
[root@cetnos7 ~]#useradd -s /sbin/nologin nginx

1.3 进行编译

[root@cetnos7 ~]#cd nginx-1.18.0
[root@cetnos7 nginx-1.18.0]#./configure --prefix=/apps/nginx \
 --user=nginx \
 --group=nginx \
 --with-http_ssl_module \
 --with-http_v2_module \
 --with-http_realip_module \
 --with-http_stub_status_module \
 --with-http_gzip_static_module \
 --with-pcre \
 --with-stream \
 --with-stream_ssl_module \
 --with-stream_realip_module
[root@cetnos7 nginx-1.18.0]#make -j 4 && make install
[root@cetnos7 nginx-1.18.0]#chown -R nginx.nginx /apps/nginx
[root@cetnos7 nginx-1.18.0]#ll /apps/nginx/
total 0
drwxr-xr-x 2 nginx nginx 333 Nov 28 13:37 conf
drwxr-xr-x 2 nginx nginx  40 Nov 28 13:37 html
drwxr-xr-x 2 nginx nginx   6 Nov 28 13:37 logs
drwxr-xr-x 2 nginx nginx  19 Nov 28 13:37 sbin

1.4 创建server文件

[root@centos7 ~]#vim /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/apps/nginx/run/nginx.pid
ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s TERM $MAINPID

[Install]
WantedBy=multi-user.target

[root@centos7 ~]#mkdir /apps/nginx/run/    #创建pid目录
[root@centos7 ~]#vim /apps/nginx/conf/nginx.conf
pid /apps/nginx/run/nginx.pid;

1.5 启动nginx

[root@cetnos7 ~]# ln -s /apps/nginx/sbin/nginx /usr/sbin/
[root@cetnos7 ~]#nginx -v
nginx version: nginx/1.18.0
[root@cetnos7 ~]#systemctl enable --now nginx
[root@cetnos7 ~]#ll /apps/nginx/run/
total 4
-rw-r--r-- 1 root root 5 Nov 28 13:57 nginx.pid

二、实现多域名

2.1 声明子配置文件

[root@cetnos7 ~]#vim /apps/nginx/conf/nginx.conf
http {
  include         /apps/nginx/conf.d/*.conf;  #在http语句块添加此行
}
[root@cetnos7 ~]#mkdir /apps/nginx/conf.d -v
[root@cetnos7 ~]#touch /apps/nginx/conf.d/test{1..3}.conf #创建子配置文件

2.2 子配置文件配置

[root@cetnos7 ~]#cd /apps/nginx/conf.d
[root@cetnos7 ~]#cat test1.conf
server  {
    listen          80;
    server_name     www.pc.test1.org;
    location / {
        root        /data/nginx/html/test1;
        index	    index.html;
    }
}

[root@cetnos7 ~]#cat test2.conf
server  {
    listen          80;
    server_name     www.pc.test2.org;
    location / {
        root        /data/nginx/html/test2;
        index	    index.html;
    }
}

[root@cetnos7 ~]#cat test3.conf
server  {
    listen          80;
    server_name     www.pc.test3.org;
    location / {
        root        /data/nginx/html/test3;
        index	    index.html;
    }
}

2.3 创建web目录

[root@cetnos7 conf.d]#mkdir /data/nginx/html/test{1..3} -p
[root@cetnos7 conf.d]#echo "<h1>pc.test1<h1>" > test1/index.html
[root@cetnos7 conf.d]#echo "<h1>pc.test2<h1>" > test2/index.html
[root@cetnos7 conf.d]#echo "<h1>pc.test3<h1>" > test3/index.html

2.4 重启nginx

[root@cetnos7 ~]#nginx -t  #检查配置语法是否正确
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@cetnos7 ~]#nginx -s reload

2.5 测试

[root@client ~]#cat /etc/hosts
10.0.0.7    test1.org test2.org test3.org  #添加本地域名解析
[root@client ~]#curl www.pc.test1.org  www.pc.test2.org www.pc.test3.org
<h1>pc.test1<h1>
<h1>pc.test2<h1>
<h1>pc.test3<h1>

三、实现https

3.1 生成自签名证书

[root@centos7 ~]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a 4096 bit RSA private key
...++
..............................................................................................................................................................................................................................................................................................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai
Locality Name (eg, city) [Default City]:Shanghai
Organization Name (eg, company) [Default Company Ltd]:test.org
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:ca.test.org
Email Address []:admin@123.org

[root@7-1 certs]#ll
total 8
-rw-r--r-- 1 root root 2102 Nov 28 15:39 ca.crt
-rw-r--r-- 1 root root 3272 Nov 28 15:39 ca.key

3.2自制key和csr文件

[root@7-1 certs]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.test1.org.key -out www.test1.org.csr  #重复此步骤，生成test2，test3的相关文件
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:test.org
Organizational Unit Name (eg, section) []:nginx
Common Name (eg, your name or your server's hostname) []:www.pc.test1.org
Email Address []:root@test1.org
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
##注意国家，省，公司这个三个参数要与CA的对应##

#签发证书
[root@7-1 certs]#openssl x509 -req -days 3650 -in www.pc.test1.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.pc.test1.org.crt
[root@7-1 certs]#openssl x509 -req -days 3650 -in www.pc.test2.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.pc.test2.org.crt
[root@7-1 certs]#openssl x509 -req -days 3650 -in www.pc.test3.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.pc.test3.org.crt

#合并证书文件
[root@7-1 certs]#cat www.pc.test1.org.crt  ca.crt > www.test1.org.pem
[root@7-1 certs]#cat www.pc.test2.org.crt  ca.crt > www.test2.org.pem
[root@7-1 certs]#cat www.pc.test3.org.crt  ca.crt > www.test3.org.pem

#证书文件目录如下
total 60
-rw-r--r-- 1 root root 1103 Nov 28 16:07 ca.crt
-rw------- 1 root root 1708 Nov 28 16:07 ca.key
-rw-r--r-- 1 root root 1046 Nov 28 15:46 www.pc.test1.org.crt
-rw-r--r-- 1 root root  968 Nov 28 15:46 www.pc.test1.org.csr
-rw------- 1 root root 1708 Nov 28 15:46 www.pc.test1.org.key
-rw-r--r-- 1 root root 2149 Nov 28 15:48 www.pc.test1.org.pem
-rw-r--r-- 1 root root 1046 Nov 28 16:07 www.pc.test2.org.crt
-rw-r--r-- 1 root root  968 Nov 28 16:07 www.pc.test2.org.csr
-rw------- 1 root root 1708 Nov 28 16:07 www.pc.test2.org.key
-rw-r--r-- 1 root root 2149 Nov 28 16:07 www.pc.test2.org.pem
-rw-r--r-- 1 root root 1046 Nov 28 16:01 www.pc.test3.org.crt
-rw-r--r-- 1 root root  968 Nov 28 16:01 www.pc.test3.org.csr
-rw------- 1 root root 1704 Nov 28 16:01 www.pc.test3.org.key
-rw-r--r-- 1 root root 2149 Nov 28 16:02 www.pc.test3.org.pem

3.3 修改配置文件

##在各子配置文件的sever语句块添加，如下内容以test1为例：

server  {
    listen          80;
    listen 	    443 ssl;
    server_name     www.pc.test1.org;
    ssl_certificate /apps/nginx/certs/www.test1.org.pem;
    ssl_certificate_key /apps/nginx/certs/www.test1.org.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    location / {
        root        /data/nginx/html/test1;
        index        index.html;
    }
}

[root@cetnos7 ~]#nginx -t
[root@cetnos7 ~]#nginx -s reload

3.4 访问测试

[root@client ~]#curl https://www.pc.test1.org -k
<h1>pc.test1<h1>
[root@client ~]#curl https://www.pc.test2.org -k
<h1>pc.test2<h1>
[root@client ~]#curl https://www.pc.test3.org -k
<h1>pc.test3<h1>