end0tknr's kipple - 新web写経開発

http://d.hatena.ne.jp/end0tknr/ から移転します

Raspberry (raspbian)付属のnginxをhttps(ssl)化

STEP1) 秘密鍵, 公開鍵, サーバ証明書(オレオレ自己証明)

以下の手順で、秘密鍵(server.key)、公開鍵(server.csr)、自己証明書(server.crt)が作成されます。

$ sudo su -
# cd /etc/nginx

# openssl genrsa -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...........................+++
............................................................+++
e is 65537 (0x10001)

# openssl req -new -key server.key -out server.csr 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:jp
State or Province Name (full name) [Some-State]:tokyo
Locality Name (eg, city) []:??????
Organization Name (eg, company) [Internet Widgits Pty Ltd]:??????
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:raspi.??????.mydns.jp
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# openssl rsa -in server.key -out server.key
writing RSA key

# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=jp/ST=tokyo/L=kokubunji/O=??????/CN=raspi.??????.mydns.jp
Getting Private key

STEP2) nginx設定ファイル /etc/nginx/nginx.conf , /etc/nginx/sites-enabled/default

Raspberry (raspbian)付属のnginx設定ファイルでは /etc/nginx/nginx.conf と /etc/nginx/sites-enabled/default が関連しますが、/etc/nginx/sites-enabled/default を以下のように変更すれば、完了です。

# server {
#         listen 80 default_server;
#         listen [::]:80 default_server;

#         root /var/www/html;

#         index index.html index.htm index.nginx-debian.html;

#         server_name _;

#         location / {
#                 # First attempt to serve request as file, then
#                 # as directory, then fall back to displaying a 404.
#                 try_files $uri $uri/ =404;
#         }
# }

server {
        listen 443 ssl;

        ssl_certificate      /etc/nginx/server.crt;
        ssl_certificate_key  /etc/nginx/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        root /var/www/html;

        index index.html index.htm index.nginx-debian.html;

        server_name _;

        location / {
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
}