HTTPS
2019-10-16 本文已影响0人
吃可爱长大鸭
https介绍
https端口:443
作用:
用于加密用户与网站之间的数据传输
见证书颁发机构:
DigiCert +2
GlobalSign +7
GeoTrust +2
购买:
各大云厂商
证书类型:
OV
EV
DV
免费
域名类型:
单域名证书 www.mysun.com
多域名证书
通配符域名 *.mysun.com
*.mysun.com
www.mysun.com
bbs.mysun.com
*.www.mysun.com
m.www.mysun.com
工作中选择域名过程:
1.先收集好所有的域名
2.过滤分析一共有几种类型的域名
*.www.mysun.com
*.mysun.com
[root@lb01 ~]# sed -nr 's#^([a-Z0-9]+).(.*$)#\2#gp' name.txt |sort|uniq -c|sort
2 www.mysun.com
3 mysun.com
3.询问开发或老大,是否所有类型的域名都需要证书
4.如果自己不清楚,就提工单问
注意域名证书的到期时间:
域名证书最多只能买2年时间
到期后不可续费,只能新买
简单nginx配置https
1.检查Nginx是否有SSL模块
nginx -V
--with-http_ssl_module
2.创建证书目录并生成证书
mkdir /etc/nginx/ssl_key
cd /etc/nginx/ssl_key
openssl genrsa -idea -out server.key 2048
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
CN
SH
SH
mysun
SA
mysun
mysun@qq.com
3.创建nginx配置文件
[root@web01 /etc/nginx/conf.d]# cat ssl.conf
server {
listen 443 ssl;
server_name ssl.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
nginx -t
systemctl restart nginx
4.写入测试文件
echo "web01 SSL" > /code/index.html
第二章: 强制http跳转到https
1.配置nginx配置文件
[root@web01 /etc/nginx/conf.d]# cat ssl.conf
server {
listen 80;
server_name ssl.oldboy.com;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name ssl.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
第三章:Nginx集群配置https
1.复制已经创建好的证书到其他的web服务器
cd /etc/nginx/
scp -r ssl_key 10.0.0.8:/etc/nginx/
scp -r conf.d/ssl.conf 10.0.0.8:/etc/nginx/conf.d/
echo "$(hostname) SSL" > /code/index.html
2.复制已经创建好的证书到lb服务器
cd /etc/nginx/
scp -r ssl_key 10.0.0.5:/etc/nginx/
3.第一种情况:lb服务器http强制跳转https
lb服务器配置:
[root@lb01 /etc/nginx/conf.d]# cat ssl.conf
upstream ssl_pools {
server 172.16.1.7:443;
server 172.16.1.8:443;
}
server {
listen 80;
server_name ssl.oldboy.com ;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name ssl.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://ssl_pools;
include proxy_params;
}
}
web服务器配置:
[root@web02 /etc/nginx/conf.d]# cat ssl.conf
server {
listen 443 ssl;
server_name ssl.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
4.第二种情况:
lb服务器负责https加解密,后端web服务器还是80端口
1.lb服务器配置
[root@lb01 ~]# cat /etc/nginx/conf.d/ssl.conf
upstream ssl_pools {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name ssl.oldboy.com ;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name ssl.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://ssl_pools;
include proxy_params;
}
}
2.web服务器配置
[root@web01 /etc/nginx/conf.d]# cat ssl.conf
server {
listen 80;
server_name ssl.oldboy.com;
location / {
root /code;
index index.html;
}
}
第四章:wordpress配置https
lb服务器配置
1.配置nginx配置文件
[root@lb01 ~]# cat /etc/nginx/conf.d/ssl.conf
upstream ssl_pools {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name blog.mysun.com;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name blog.mysun.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://ssl_pools;
include proxy_params;
}
}
web服务器配置:
2台web服务器都需要配置
2.配置fastcgi的https相关参数
echo "fastcgi_param HTTPS on;" >> /etc/nginx/fastcgi_params
3.web服务器nginx配置
[root@web01 ~]# cat /etc/nginx/conf.d/blog.conf
server {
listen 80;
server_name blog.mysun.com;
root /code/wordpress;
index index.php index.html;
location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
4.重启nginx
nginx -t
systemctl restart nginx
报错总结:
1.hosts文件条目重复
2.hosts文件地址写错
3.lb服务器的地址池端口没有给成443
4.web02服务器没有配置server_name导致访问到web02的默认首页