Certificate generation

First, you need https certificate files. If you have purchased certificates from Certificate Authorization center, you can skip this step. Here we introduce how to generate self-signed certificates. Self-signed certificates refer to certificates that are not issued by Certificate Authority, but generated by the relevant tools on personal computers. They are generally used for testing and can not be used for production. Environmental Science.

To facilitate the management of certificates (many files will be generated during certificate generation), we can create a separate directory to store certificate files. Here's how openssl The process of generating certificates by tools.

1. Create directories

$ cd ~
$ mkdir ssl
$ cd ssl

2. Create a key file

Create the key file definesys.key, the name can be customized, you need to specify a password (optional password can be)

$ openssl genrsa -des3 -out definesys.key 1024
Generating RSA private key, 1024 bit long modulus
.......++++++
..................++++++
e is 65537 (0x10001)
Enter pass phrase for definesys.key:
Verifying - Enter pass phrase for definesys.key:

3. Create csr certificates

You need to enter relevant information, more importantly Common Name, which is the address to access nginx

$ openssl req -new -key definesys.key -out definesys.csr

Enter pass phrase for definesys.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Definesys
Organizational Unit Name (eg, section) []:Definesys
Common Name (e.g. server FQDN or YOUR name) []:www.definesys.com
Email Address []:jianfeng.zheng@definesys.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:You don't have to lose.
An optional company name []:You don't have to lose.

#File at this time
$  ssl ll
total 16
-rw-r--r--   1 asan  staff  733  1  3 23:57 definesys.csr
-rw-r--r--   1 asan  staff  963  1  3 23:55 definesys.key

4. Remove secret key cryptography

When nginx uses the private key, it needs to remove the password. When executing the following commands, it needs to enter the password of the secret key.

$ cp definesys.key definesys.key.bak
$ openssl rsa -in definesys.key.bak -out definesys.key

Enter pass phrase for definesys.key.bak:
writing RSA key

5. Generating crt certificates

$ openssl x509 -req -days 3650 -in definesys.csr -signkey definesys.key -out definesys.crt

Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=Definesys/OU=Definesys/CN=www.definesys.com/emailAddress=jianfeng.zheng@definesys.com
Getting Private key

#At this point, the file list

$  ssl ll
total 32
-rw-r--r--   1 asan  staff  1017  1  4 00:03 definesys.crt
-rw-r--r--   1 asan  staff   733  1  3 23:57 definesys.csr
-rw-r--r--   1 asan  staff   887  1  4 00:02 definesys.key
-rw-r--r--   1 asan  staff   963  1  4 00:01 definesys.key.bak

nginx container configuration

1. Upload Certificate Files

Copy the definesys.crt file and definesys.key file to the server. Assuming that the configuration file of nginx on your server is in the / etc/nginx / directory, you can create a folder under that directory. Here you name certs and copy the file to that folder.

2. Configuration file modification

Modify configuration file nginx.conf

server {
    listen       443 ssl;
    server_name  www.definesys.com;

    ssl_certificate      /etc/nginx/certs/definesys.crt;
    ssl_certificate_key  /etc/nginx/certs/definesys.key;
    
    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;
    
    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
    root /usr/share/nginx/html;
    index  index.html index.htm;
    }
}

If the server configuration is not on the nginx.conf file, you can find the file with the. conf suffix under the conf.d folder, which usually has a default.conf file.

3. Start the container

docker run -d --restart=unless-stopped -p 443:443 -v /etc/nginx/:/etc/nginx -v /var/run/docker.sock:/tmp/docker.sock:ro -v /u01/application:/usr/share/nginx/html nginx

Visit https://localhost Verify that the configuration is correct. If the normal access instructions are successfully configured, the self-signed certificate will prompt the certificate to be unsafe when opened. Ignore it.