Qiita Teams that are logged in
You are not logged in to any team

Log in to Qiita Team
Community
OrganizationAdvent CalendarQiitadon (β)
Service
Qiita JobsQiita ZineQiita Blog
Help us understand the problem. What is going on with this article?

Centos 7 にnginx用SSLをインストールする

More than 1 year has passed since last update.

前提条件

  • OS : CentOS Linux release 7.4 (Core)

1. Nginxインストール&ファイアウォール設定

  • サーバーからNginxパッケージにアクセスするために、EPEL (extra packages for Enterprise Linux) リポジトリをインストールする必要がある
$ sudo yum install epel-release

  • Nginxをインストールする
$ sudo yum install nginx

  • Nginxサービスを起動する
$ sudo systemctl start nginx

  • Nginxのステータスを確認する
$ systemctl status nginx
プロンプト出力
● nginx.service - The nginx HTTP and reverse proxy server
   Loaded: loaded (/usr/lib/systemd/system/nginx.service; disabled; vendor preset: disabled)
   Active: active (running) since Sun 2018-07-15 14:13:27 CST; 40s ago
  Process: 31362 ExecStart=/usr/sbin/nginx (code=exited, status=0/SUCCESS)
  Process: 31359 ExecStartPre=/usr/sbin/nginx -t (code=exited, status=0/SUCCESS)
  Process: 31357 ExecStartPre=/usr/bin/rm -f /run/nginx.pid (code=exited, status=0/SUCCESS)
 Main PID: 31364 (nginx)
   CGroup: /system.slice/nginx.service
           ├─31364 nginx: master process /usr/sbin/nginx
           ├─31365 nginx: worker process
           └─31366 nginx: worker process

Jul 15 14:13:27 greenlist systemd[1]: Starting The nginx HTTP and reverse proxy server...
Jul 15 14:13:27 greenlist nginx[31359]: nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
Jul 15 14:13:27 greenlist nginx[31359]: nginx: configuration file /etc/nginx/nginx.conf test is successful
Jul 15 14:13:27 greenlist systemd[1]: Started The nginx HTTP and reverse proxy server.

  • サーバ起動時、Nginxも同時に起動させる
$ sudo systemctl enable nginx
プロンプト出力
Created symlink from /etc/systemd/system/multi-user.target.wants/nginx.service to /usr/lib/systemd/system/nginx.service.

  • iptables ファイアウォル設定により、HTTP と HTTPS のアクセス可能にする
$ sudo iptables -I INPUT -p tcp -m tcp --dport 80 -j ACCEPT
$ sudo iptables -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT

2. SSL証明書の作成

$ sudo mkdir /etc/ssl/private
$ sudo chmod 700 /etc/ssl/private
$ sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt
プロンプト出力
Generating a 2048 bit RSA private key
......................................+++
............................+++
writing new private key to '/etc/ssl/private/nginx-selfsigned.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:TOKYO
Locality Name (eg, city) [Default City]:TOKYO
Organization Name (eg, company) [Default Company Ltd]:Greenlist INC.
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:greenlist
Email Address []:xx@xxx.co.jp
$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

3. SSLを使うため、Nginxの設定

  • TLS/SSL サーバ設定の作成
$ sudo vi /etc/nginx/conf.d/ssl.conf
/etc/nginx/conf.d/ssl.conf
server {
    listen 443 http2 ssl;
    listen [::]:443 http2 ssl;

    server_name server_IP_address;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;

    ########################################################################
    # from https://cipherli.st/                                            #
    # and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html #
    ########################################################################

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1;
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off;
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;
    # Disable preloading HSTS for now.  You can use the commented out header line that includes
    # the "preload" directive if you understand the implications.
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;

    ##################################
    # END https://cipherli.st/ BLOCK #
    ##################################

    root /usr/share/nginx/html;

    location / {
    }

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

  • HTTPからHTTPSへ転送設定の作成
$ sudo vi /etc/nginx/default.d/ssl-redirect.conf
/etc/nginx/default.d/ssl-redirect.conf
return 301 https://$host$request_uri/;

4. Nginx設定を有効にする

  • Nginx設定を確認する
$ sudo nginx -t
プロンプト出力
nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

  • Nginxを再起動する
$ sudo systemctl restart nginx

5. 暗号化されたサイトのテスト

https://server_domain_or_IP

参考サイト digitalocean.com

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away