nginx遇到需要配置带密码的SSL证书时,每次configtest/-t/reload/start/stop/restart时都会提示需要输入SSL Key的密码(提示信息:Enter PEM pass phrase),如果SSl Key有多个,则需要多次输入,非常不方便;网络上常用的方法是通过openssl删除掉key的密码来处理,此处我们用另一种配置方法:ssl_password_file file;

ssl_password_file:指定存储key密码的文件路径,文件内每一行即为一个密码;这样可以避免在对nginx服务进行状态控制和语法检查时提示输入密码。若放在配置文件的http区域,即为全局密码配置,这适用于所有密码统一的情况;若放在server区域,即为每个server内单独指定的密码,这适用于密码不同的情况。

参考

配置参考

仅贴出server区域示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
server {
listen 443;
server_name server1.test.com;
ssl on;
ssl_certificate /etc/nginx/ssl/server1.crt;
ssl_certificate_key /etc/nginx/ssl/server1.key;
ssl_password_file /etc/nginx/ssl/server1.pw;
access_log /var/log/nginx/server1_access.log;
error_log /var/log/nginx/server1_error.log;
index index.html;
proxy_set_header X-Forwarded-Port 443;

location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
root /opt/html/server1;
}
}

server {
listen 443;
server_name server2.test.com;
ssl on;
ssl_certificate /etc/nginx/ssl/server2.crt;
ssl_certificate_key /etc/nginx/ssl/server2.key;
ssl_password_file /etc/nginx/ssl/server2.pw;
access_log /var/log/nginx/server2_access.log;
error_log /var/log/nginx/server2_error.log;
index index.html;
proxy_set_header X-Forwarded-Port 443;

location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_read_timeout 5m;
proxy_send_timeout 5m;
root /opt/html/server2;
}
}

提示:ssl_password_file配置的文件必需存在,否则nginx会报错;若key没有密码,但是也配置了ssl_password_file的情况,不会影响nginx及此域名的访问,因为nginx会忽略此密码文件里的内容