linux如何开启sni服务,Nginx开启单IP多SSL证书支持-TLS SNI support
Nginx支持單IP多域名SSL證書需要OpenSSL支持,由于CentOS5.X系統(tǒng)自帶的OpenSSL版本太低不支持,所以首先需要編譯安裝一個高版本的openssl,CentOS 6.X的系統(tǒng)自帶的openssl版本大于0.98以上,一般編譯好的nginx都是支持的。
檢查nginx是否支持TLS SNI support:
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
TLS SNI support disabled
configure arguments: --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
TLS SNI support disabled 這樣是不支持的。
查看openssl的版本:[root@localhost?~]#?openssl?version?-a
OpenSSL?0.9.8e-fips-rhel5?01?Jul?2008
built?on:?Tue?May?31?06:58:30?CDT?2016
platform:?linux-x86_64
options:??bn(64,64)?md2(int)?rc4(ptr,int)?des(idx,cisc,16,int)?blowfish(ptr2)
compiler:?gcc?-fPIC?-DOPENSSL_PIC?-DZLIB?-DOPENSSL_THREADS?-D_REENTRANT?-DDSO_DLFCN?-DHAVE_DLFCN_H?-DKRB5_MIT?-I/usr/kerberos/include?-DL_ENDIAN?-DTERMIO?-Wall?-DMD32_REG_T=int?-O2?-g?-pipe?-Wall?-Wp,-D_FORTIFY_SOURCE=2?-fexceptions?-fstack-protector?--param=ssp-buffer-size=4?-m64?-mtune=generic?-Wa,--noexecstack?-DOPENSSL_USE_NEW_FUNCTIONS?-fno-strict-aliasing?-DOPENSSL_BN_ASM_MONT?-DSHA1_ASM?-DSHA256_ASM?-DSHA512_ASM?-DMD5_ASM?-DAES_ASM
OPENSSLDIR:?"/etc/pki/tls"
engines:??dynamic
下面開始升級openssl:
wget ftp://ftp.openssl.org/source/openssl-1.0.2h.tar.gz
tar xzvf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/usr/local/openssl/ enable-shared enable-tlsext
make && make install
檢查openssl的版本:[root@localhost?~]#?/usr/local/openssl/bin/openssl?version?-a
OpenSSL?1.0.2h??21?Dec?2016
built?on:?reproducible?build,?date?unspecified
platform:?linux-x86_64
options:??bn(64,64)?rc4(16x,int)?des(idx,cisc,16,int)?idea(int)?blowfish(idx)
compiler:?gcc?-I.?-I..?-I../include??-fPIC?-DOPENSSL_PIC?-DOPENSSL_THREADS?-D_REENTRANT?-DDSO_DLFCN?-DHAVE_DLFCN_H?-fPIC?-Wa,--noexecstack?-m64?-DL_ENDIAN?-O3?-Wall?-DOPENSSL_IA32_SSE2?-DOPENSSL_BN_ASM_MONT?-DOPENSSL_BN_ASM_MONT5?-DOPENSSL_BN_ASM_GF2m?-DSHA1_ASM?-DSHA256_ASM?-DSHA512_ASM?-DMD5_ASM?-DAES_ASM?-DVPAES_ASM?-DBSAES_ASM?-DWHIRLPOOL_ASM?-DGHASH_ASM?-DECP_NISTZ256_ASM
OPENSSLDIR:?"/usr/local/openssl/ssl"
編譯nginx:wget?http://nginx.org/download/nginx-1.10.2.tar.gz
tar?xzvf?nginx-1.10.2.tar.gz
cd?nginx-1.10.2/
./configure?--user=www?--group=www?--prefix=/usr/local/nginx?--with-openssl=/usr/local/openssl?--with-http_stub_status_module?--with-http_ssl_module?--with-http_v2_module
make?&&?make?install
檢查現(xiàn)在是否支持TLS SNI support:[root@localhost?~]#?/usr/local/nginx/sbin/nginx?-V
nginx?version:?nginx/1.10.2
built?by?gcc?4.1.2?20080704?(Red?Hat?4.1.2-55)
built?with?OpenSSL?1.0.2h??21?Dec?2016
TLS?SNI?support?enabled
configure?arguments:?--user=www?--group=www?--prefix=/usr/local/nginx?--with-openssl=/usr/local/openssl?--with-http_stub_status_module?--with-http_ssl_module?--with-http_v2_module
TLS SNI support enabled 現(xiàn)在已經(jīng)支持了,再添加幾個https的站點都正常了。
超強干貨來襲 云風專訪:近40年碼齡,通宵達旦的技術(shù)人生總結(jié)
以上是生活随笔為你收集整理的linux如何开启sni服务,Nginx开启单IP多SSL证书支持-TLS SNI support的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 取消linux下命令别名设置,day6L
- 下一篇: linux挂载硬盘读写,mount 挂载