微信小程序需要tls1.2,也就是说openssl要是1.0.2以上的版本。重新安装openssl后,Nginx也是要重新安装的。
服务器的Nginx安装好了,重新安装,就用了Nginx -V的配置。下面是详细过程。
1,下载Nginx,openssl
Nginx: http://Nginx.org/download/
openssl: https://www.openssl.org/source/
2,安装openssl
# tar zxvf openssl-1.0.2l.tar.gz # mkdir /usr/local/openssl12 # cd openssl-1.0.2l/ # ./config --prefix=/usr/local/openssl12/ # make && make install
3,安装Nginx
安装依赖包
# yum install gcc-c++ readline-devel zlib-devel libffi-devel \ openssl-devel make autoconf automake libtool bison libxml2-devel \ libxslt-devel libyaml-devel pcre pcre-devel gd gd-devel perl-devel \ perl-ExtUtils-Embed GeoIP-devel
安装Nginx
# tar zxvf Nginx-1.10.2.tar.gz # cd Nginx-1.10.2/ # vim auto/lib/openssl/conf #找到以下内容把.openssl去掉 CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include" CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h" CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a" CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libcrypto.a" CORE_LIBS="$CORE_LIBS $NGX_LIBDL" # ./configure --prefix=/usr/share/Nginx \ --sbin-path=/usr/sbin/Nginx \ --modules-path=/usr/lib64/Nginx/modules \ --conf-path=/etc/Nginx/Nginx.conf \ --error-log-path=/var/log/Nginx/error.log \ --http-log-path=/var/log/Nginx/access.log \ --http-client-body-temp-path=/var/lib/Nginx/tmp/client_body \ --http-proxy-temp-path=/var/lib/Nginx/tmp/proxy \ --http-fastcgi-temp-path=/var/lib/Nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/Nginx/tmp/uwsgi \ --http-scgi-temp-path=/var/lib/Nginx/tmp/scgi \ --pid-path=/var/run/Nginx.pid \ --lock-path=/var/lock/subsys/Nginx \ --user=Nginx --group=Nginx --with-file-aio --with-ipv6 \ --with-http_ssl_module --with-http_v2_module --with-http_realip_module \ --with-http_addition_module --with-http_xslt_module=dynamic \ --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic \ --with-http_sub_module --with-http_dav_module --with-http_flv_module \ --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module \ --with-http_random_index_module --with-http_secure_link_module \ --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \ --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \ --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug \ --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector \ --param=ssp-buffer-size=4 -m64 -mtune=generic' --with-ld-opt=' -Wl,-E' \ --with-openssl=/usr/local/openssl12 # make && make install
以上是真实的服务器上安装的。以下是在阿里云上面安装的。
./configure --prefix=/usr/share/Nginx --sbin-path=/usr/sbin/Nginx \ --modules-path=/usr/lib64/Nginx/modules --conf-path=/etc/Nginx/Nginx.conf \ --error-log-path=/var/log/Nginx/error.log --http-log-path=/var/log/Nginx/access.log \ --http-client-body-temp-path=/var/lib/Nginx/tmp/client_body \ --http-proxy-temp-path=/var/lib/Nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/Nginx/tmp/fastcgi \ --http-uwsgi-temp-path=/var/lib/Nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/Nginx/tmp/scgi \ --pid-path=/run/Nginx.pid --lock-path=/run/lock/subsys/Nginx --user=Nginx \ --group=Nginx --with-ipv6 --with-http_ssl_module --with-http_v2_module --with-http_realip_module \ --with-http_addition_module --with-http_image_filter_module=dynamic --with-http_sub_module \ --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module \ --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module \ --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module \ --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-pcre \ --with-pcre-jit --with-stream=dynamic --with-stream_ssl_module --with-debug --with-openssl=/usr/local/openssl12
因为Nginx都是事先用yum安装好的,手动编译安装的时候,用了Nginx -V的参数。阿里云,安装的时候要注意,有很多包都没有,安装的时候报了很多错,查找一下,如果有不需要的模块,在编译参数中就去掉,如果有缺失的就安装一下。如果安装成功后,Nginx还是报错。就找一下以下目录。
# /usr/share/Nginx/modules #把报错的模块删除,要先备份
然后在重新启动Nginx
4,配置Nginx
ssl on; ssl_certificate /etc/Nginx/mall.pem; ssl_certificate_key /etc/Nginx/mall.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1.2; #注意这个1.2 #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_prefer_server_ciphers on;
5,下载nmap测试tls
# yum install nmap # nmap --script ssl-enum-ciphers -p 443 XXXXXX.com
6,firefox查看tls