wget （下载nginxRPM管理包）

rpm -ivh nginx-1.14.0-1.el6.ngx.x86_64.rpm （安装nginx）

开始实验：

/etc/nginx/     ├── conf.d   （拓展文件）│   ├── abc.conf│   ├── default.conf│   ├── efg.conf│   └── error.conf├── fastcgi_params├── koi-utf├── koi-win├── mime.types├── modules -> ../../usr/lib64/nginx/modules├── nginx.conf   （主配文件）├── scgi_params├── uwsgi_params└── win-utf/usr/share/nginx/html/  （数据文件）├── 50x.html├── abc│   └── index.html   ├── efg│   └── index.html├── error│   └── index.html└── index.html

**# 基于虚拟主机的两个网站**[root@localhost conf.d]# cat abc.conf efg.conf server {    listen       80;    server_name  www.abc.com;    #charset koi8-r;    #access_log  /var/log/nginx/host.access.log  main;    location / {        root   /usr/share/nginx/html/abc;        index  index.html index.htm;    }}server {    listen       80;    server_name  www.efg.com;    #charset koi8-r;    #access_log  /var/log/nginx/host.access.log  main;    location / {        root   /usr/share/nginx/html/efg;        index  index.html index.htm;    }}[root@localhost nginx]# vim nginx.conf     include /etc/nginx/conf.d/*.conf;charset utf-8;    （如果出现web访问显示中文乱码，写上这条，重启nginx）}

访问abc和efg都没问题，但是要是没xyz的对应虚拟主机（默认显示ASCII顺序显示第一个虚拟主机）这里我们单独给他一个错误回显，看下图：

（这个错误页面怎么配置？）

[root@localhost conf.d]# vim error.conf server {    listen       80 default;  （只要找不到虚拟主机一律去error下面找）    #access_log  /var/log/nginx/host.access.log  main;    location / {        root   /usr/share/nginx/html/error;  （配置文件）        index  index.html index.htm;    }}

location 匹配字段（针对URL的路径部分，可以与正则配合使用）

[root@localhost download]# vim /etc/nginx/conf.d/abc.conf server {    listen       80;    server_name  www.abc.com;    #charset koi8-r;    #access_log  /var/log/nginx/host.access.log  main;    location / {        root   /usr/share/nginx/html/abc;        index  index.html index.htm;    }        location /boke.html {     （这里的意思是去root boke目录里找boke.html这个文件URL最后面不能加/）        root   /usr/share/nginx/html/boke;    }

[root@localhost download]# vim /etc/nginx/conf.d/abc.conf         location /download/ {             （这里去html下面找download目录！！目录里面可以有文件，页面等等URL最后必须要加/）        root   /usr/share/nginx/html;    }}

*（怎么一定要加/或不加/呢？不人性化，这里可以使用正则来解决）

[root@localhost download]# vim /etc/nginx/conf.d/abc.conf  location ~* /download.* {   （~* 不区分大小写，.*为正则匹配）        root   /usr/share/nginx/html;    }}

HTTPS

讲之前先看下公钥与私钥到底是个啥？[1](https://blog.51cto.com/2938638/809991)[2](https://blog.51cto.com/zhangyanfeng/1711250)

实验：自签名客户端                                                                                 CA1.创建私钥                                                                         1.有自己的私钥和证书2.根据私钥创建证书颁发请求  .csr                                     2.对证书颁发请求签名3.等CA中心授权签名通过，返回证书文件 .crt                   3.将证书发送给客户端4.根据KEY，CRT配置HTTPS站点

客户端[root@localhost keyes]# openssl genrsa 2048 > siyao.keys   （创建私钥）Generating RSA private key, 2048 bit long modulus...............................................................................+++.+++e is 65537 (0x10001)[root@localhost keyes]# chmod 400 siyao.keys   （给予最小权限）[root@localhost keyes]# openssl req -new -key siyao.keys -out siyao.csr  （创建证书办法请求）You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CN    （国家）State or Province Name (full name) []:shanghai  （省份）Locality Name (eg, city) [Default City]:shanghai   （市区）Organization Name (eg, company) [Default Company Ltd]:boke  （公司名）  Organizational Unit Name (eg, section) []:boke - cainiao  （部门）Common Name (eg, your name or your server's hostname) []:www.abc.com  （要加密的RUL）Email Address []:boke@boke.com  （邮箱）Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:     （这里不要写密码，CA哪里一会解不开密码，自签名。。）An optional company name []:  （这里也跳过）[root@localhost keyes]# lssiyao.csr  siyao.keys     （生成一份.csr的文件）[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root   （在我使用scp传输文件时，碰到了问题，因为之前做过NAT。网关上把icmp阻塞了，并且用的策略是block return，所以返回一个目标不可到达的包给你。）ssh: connect to host 192.168.1.115 port 22: No route to host[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root   （传过去了）The authenticity of host '192.168.1.115 (192.168.1.115)' can't be established.RSA key fingerprint is ce:73:07:c4:4c:f3:2b:1b:21:c7:92:31:27:53:be:cf.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.115' (RSA) to the list of known hosts.root@192.168.1.115's password: siyao.csr # CA端[root@localhost ~]# openssl genrsa -des3 -out ca.key 4096  （生成公私钥，做自签名）Generating RSA private key, 4096 bit long modulus............................++.......................++e is 65537 (0x10001)Enter pass phrase for ca.key:                  （自签名密码要记住，一会自签名过程要用到）Verifying - Enter pass phrase for ca.key:[root@localhost ~]# lsanaconda-ks.cfg  ca.key  siyao.csr[root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt  （自签名）Enter pass phrase for ca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:shanghaiLocality Name (eg, city) [Default City]:shanghai    Organization Name (eg, company) [Default Company Ltd]:NSA    Organizational Unit Name (eg, section) []:FBI   Common Name (eg, your name or your server's hostname) []:www.boke.comEmail Address []:[root@localhost ~]# lsanaconda-ks.cfg  ca.crt  ca.key  siyao.csr[root@localhost ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out siyao.crt  （给客户端颁发证书）Signature oksubject=/C=CN/ST=shanghai/L=shanghai/O=boke/OU=boke - cainiao/CN=www.abc.com/emailAddress=boke@boke.comGetting CA Private KeyEnter pass phrase for ca.key:[root@localhost ~]# lsanaconda-ks.cfg  ca.crt  ca.key  siyao.crt  siyao.csr[root@localhost ~]# scp siyao.crt 192.168.1.3:/etc/pki/CA/keyes （回传给客户端）The authenticity of host '192.168.1.3 (192.168.1.3)' can't be established.RSA key fingerprint is bd:4d:15:99:19:a7:d7:fb:6e:0a:91:b0:b7:62:04:73.Are you sure you want to continue connecting (yes/no)? yesWarning: Permanently added '192.168.1.3' (RSA) to the list of known hosts.root@192.168.1.3's password: siyao.crt                                                                                           100% 1590     1.6KB/s   00:00    [root@localhost ~]# lsanaconda-ks.cfg  ca.crt  ca.key  siyao.crt  siyao.csr客户端keyes目下要有私钥，公钥，证书[root@localhost keyes]# lssiyao.crt  siyao.csr  siyao.keys[root@localhost keyes]# pwd/etc/pki/CA/keyes

最后来配置HTTPS

[root@localhost conf.d]# vim abc.conf server {        listen  443 ssl;        server_name     www.abc.com;        ssl_certificate /etc/pki/CA/keyes/siyao.crt;  （证书）        ssl_certificate_key     /etc/pki/CA/keyes/siyao.keys; （私钥）        ssl_protocols   TLSv1  TLSv1.1  TLSv1.2; （协议）        ssl_ciphers     HIGH:!aNULL:!MD5;        root /usr/share/nginx/html/abc;        index index.html;}

我这里用的是chrome的浏览器：

这里显示不安全，但是能看到内容，大神给讲下吧，有点迷。----------下次分享下nginx的rewrite和反向代理和缓存。。