http服务相关

HTTPS

2019-06-19  本文已影响138人  古巷挂青灯

网站实现https访问

第一个历程:检查网站环境是否满足

nginx程序必须有支持证书功能的ssl模块(有下面这个模块就可以支持HTTPS)

--with-http_ssl_module

检查:

[root@web01 ~]# nginx -V

nginx version: nginx/1.16.0

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --coor-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --loclient-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --ust --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_modutp_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-httlink_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module--with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_prerepe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-swiwith-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

第二个历程:创建存放ssl证书的路径

[root@web01 ~]# mkdir -p /etc/nginx/ssl_key

[root@web01 ~]# cd /etc/nginx/ssl_key/

第三个历程:使用openssl命令充当CA权威承认的黑户证书

ps:生产不可能使用的此方法的生成证书,不被互联网CA承认的黑户证书

(执行下面这条命令生成私钥)
[root@web01 ~]#openssl   genrsa -idea  -out server.key 2048
                                               (生成私钥) 2048代表设置密码的长度
下面是这条命令的单独解释:
创建私钥的命令    代表创建一个私钥     指定私钥加密算法    把生成的信息指定一个路径     存放的私钥的文件```

[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048

Generating RSA private key, 2048 bit long modulus

................+++

............................+++

e is 65537 (0x10001)

Enter pass phrase for server.key: (给这个证书设置个密码)

Verifying - Enter pass phrase for server.key: (在输入一遍)

然后查看当前目录,已经生成

[root@web01 /etc/nginx/ssl_key]# ll

total 4

-rw-r--r-- 1 root root 1747 Jun 19 15:53 server.key

第四个历程:生成自签证书,同时去掉私钥的密码

[root@web01 ~]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

参数信息

req:创建证书

-days:证书的有效期

-x509:定义证书的格式信息

-sha256 :公钥证书的加密算法

-nodes -newkey:去掉私钥文件的密码信息

-keyout:加载私钥文件

-out :输出生成证书的文件(假的)

server.crt:识别一个私钥,把一个私钥生成证书的信息指定到一个文件里

执行过程的详解

[root@web01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Generating a 2048 bit RSA private key

..............................................................................................................+++

...............................+++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]: cn (在哪个国家使用)

State or Province Name (full name) []:bj (省份)

Locality Name (eg, city) [Default City]:bj (城市)

Organization Name (eg, company) [Default Company Ltd]:oldboy (公司)

Organizational Unit Name (eg, section) []:it (使用这个证书的部门)

Common Name (eg, your name or your server's hostname) []:oldboy (给哪个主机用)

Email Address []:333@qq.com (邮箱地址)

生成私钥与证书,并检查:

[root@web01 /etc/nginx/ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1350 Jun 19 16:16 server.crt
-rw-r--r-- 1 root root 1708 Jun 19 16:16 server.key

第五个历程:证书申请完成后需要让nginx服务进行加载

下面是参数

1、是否开启证书功能

Syntax:ssl on|off; 是否开启证书

Default: ssl off;

Context : http ,server

2、加载ssl crt证书文件存放路径

Syntax:ssl_certifacate file;

Default: -

Context : http ,server

3、加载ssl key私钥文件存放路径

Syntax:ssl_certifacate_key file;

Default: -

Context : http ,server

然后 在server下面添加三行,修改监听端口,改成443,在浏览器输入[https://www.oldboy.com/](https://www.oldboy.com/)即可

ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;

这是我在web01测试的文件,

[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
      listen 443;
      server_name www.oldboy.com;
      ssl on;
      ssl_certificate ssl_key/server.crt;
      ssl_certificate_key ssl_key/server.key;
      access_log /var/log/nginx/access_www.log main;
      root /usr/share/nginx/html/www;

location / {
      index index.php index.html index.htm;
    }

location ~* \.(php|php5)$ {
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME 
      $document_root$fastcgi_script_name;
      include fastcgi_params;
   }
}

但是在测试的时候,如果不加https,他自动是不跳转的

第六个历程:实现HTTP到HTTPS跳转的访问效果

server {
     listen 80;  
     server_name www.oldboy.com;
     #rewrite ^/(.*) [https://www.oldboy.com/](https://www.oldboy.com/)$1 redirect;
     return 302 https://$server_name$request_uri;
}
最终的配置文件

[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
listen 80;
      server_name www.oldboy.com;
      #rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
      return 302 https://$server_name$request_uri;
 }

server {
    listen 443 ssl;
    server_name www.oldboy.com;
    ssl on;
    ssl_certificate         ssl_key/server.crt;
    ssl_certificate_key     ssl_key/server.key;
    access_log /var/log/nginx/access_www.log main;
    root /usr/share/nginx/html/www;
location / {
     index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
     fastcgi_pass 127.0.0.1:9000;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME 
     $document_root$fastcgi_script_name;
     include fastcgi_params;
 }
 }
}

至此,是单台的HTTPS的搭建与测试。

实现网站多台服务器实现HTTPS访问nginx

在负载均衡服务器上配置私钥与证书

首先配置主配置文件,具体内容如下。
[root@lb01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;

#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

upstream web_pools {
# ip_hash;
server 10.0.0.7:443 weight=2 max_fails=3 fail_timeout=10s;
server 10.0.0.8:443 weight=1 max_fails=3 fail_timeout=10s;
}

#include /etc/nginx/conf.d/*.conf;

server {
     listen 80;
     server_name www.oldboy.com;
     #rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
     return 302 https://$server_name$request_uri;
}

server {
      listen 443 ssl;
      server_name www.oldboy.com;
      ssl on ;
      ssl_certificate ssl_key/server.crt;
     ssl_certificate_key ssl_key/server.key;
location / {
    proxy_pass https://web_pools;
    include proxy_params;
 }
}

然后将web01的私钥与证书拉过来,拉到和上面在web01一样的路径中。

[root@lb01 ~]#scp -rp 172.16.1.7:/etc/nginx/ssl_key ./

下面这个是个优化,可做可不做。

[root@lb01 ~]# cat hh.txt
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 32k;
proxy_buffering on;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;

在web上面把配置文件的跳转注释掉就OK了.

最终做完在优化一下,优化成企业的需求的类型
优化完lb01的配置文件

[root@lb01 ~]# cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    upstream web_pools {
   # ip_hash;
    server   10.0.0.7:80   weight=2   max_fails=3  fail_timeout=10s;
    server   10.0.0.8:80   weight=1   max_fails=3  fail_timeout=10s;
    }

    #include /etc/nginx/conf.d/*.conf;
server   {
    listen       80;
    server_name  www.oldboy.com;
    #rewrite   ^/(.*)   https://www.oldboy.com/$1  redirect;
    return  302       https://$server_name$request_uri;
}


     server {
     listen   443 ssl;
     server_name  www.oldboy.com;
    ssl  on ; 
    ssl_certificate        ssl_key/server.crt;
    ssl_certificate_key    ssl_key/server.key;

     location / {
     proxy_pass  http://web_pools;
     include proxy_params;
     }
}
}

优化完的web配置文件

[root@web01 ~]# cat /etc/nginx/conf.d/www.conf 
server   {
    listen      80;
    server_name  www.oldboy.com;
    # ssl  on;
    #ssl_certificate        ssl_key/server.crt;
    #ssl_certificate_key    ssl_key/server.key;
    access_log  /var/log/nginx/access_www.log  main;
    root   /usr/share/nginx/html/www;
    location / {
    index  index.php index.html index.htm;
    }
   location ~* \.(php|php5)$ {
       fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
       include        fastcgi_params;
   }

}

补充:
01. 后端没有配置HTTPS功能时,前端如果是HTTPS有时加载后端页面会有问题
解决方式,在后端配置文件添加上:fastcgi_param HTTPS on;

上一篇下一篇

猜你喜欢

热点阅读