HTTPS
2019-06-19 本文已影响138人
古巷挂青灯
网站实现https访问
第一个历程:检查网站环境是否满足
nginx程序必须有支持证书功能的ssl模块(有下面这个模块就可以支持HTTPS)
--with-http_ssl_module
检查:
[root@web01 ~]# nginx -V
nginx version: nginx/1.16.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --coor-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --loclient-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --ust --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_modutp_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-httlink_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module--with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_prerepe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-swiwith-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
第二个历程:创建存放ssl证书的路径
[root@web01 ~]# mkdir -p /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key/
第三个历程:使用openssl命令充当CA权威承认的黑户证书
ps:生产不可能使用的此方法的生成证书,不被互联网CA承认的黑户证书
(执行下面这条命令生成私钥)
[root@web01 ~]#openssl genrsa -idea -out server.key 2048
(生成私钥) 2048代表设置密码的长度
下面是这条命令的单独解释:
创建私钥的命令 代表创建一个私钥 指定私钥加密算法 把生成的信息指定一个路径 存放的私钥的文件```
[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
............................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: (给这个证书设置个密码)
Verifying - Enter pass phrase for server.key: (在输入一遍)
然后查看当前目录,已经生成
[root@web01 /etc/nginx/ssl_key]# ll
total 4
-rw-r--r-- 1 root root 1747 Jun 19 15:53 server.key
第四个历程:生成自签证书,同时去掉私钥的密码
[root@web01 ~]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
参数信息
req:创建证书
-days:证书的有效期
-x509:定义证书的格式信息
-sha256 :公钥证书的加密算法
-nodes -newkey:去掉私钥文件的密码信息
-keyout:加载私钥文件
-out :输出生成证书的文件(假的)
server.crt:识别一个私钥,把一个私钥生成证书的信息指定到一个文件里
执行过程的详解
[root@web01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..............................................................................................................+++
...............................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: cn (在哪个国家使用)
State or Province Name (full name) []:bj (省份)
Locality Name (eg, city) [Default City]:bj (城市)
Organization Name (eg, company) [Default Company Ltd]:oldboy (公司)
Organizational Unit Name (eg, section) []:it (使用这个证书的部门)
Common Name (eg, your name or your server's hostname) []:oldboy (给哪个主机用)
Email Address []:333@qq.com (邮箱地址)
生成私钥与证书,并检查:
[root@web01 /etc/nginx/ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1350 Jun 19 16:16 server.crt
-rw-r--r-- 1 root root 1708 Jun 19 16:16 server.key
第五个历程:证书申请完成后需要让nginx服务进行加载
下面是参数
1、是否开启证书功能
Syntax:ssl on|off; 是否开启证书
Default: ssl off;
Context : http ,server
2、加载ssl crt证书文件存放路径
Syntax:ssl_certifacate file;
Default: -
Context : http ,server
3、加载ssl key私钥文件存放路径
Syntax:ssl_certifacate_key file;
Default: -
Context : http ,server
然后 在server下面添加三行,修改监听端口,改成443,在浏览器输入[https://www.oldboy.com/](https://www.oldboy.com/)即可
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
这是我在web01测试的文件,
[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
listen 443;
server_name www.oldboy.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
access_log /var/log/nginx/access_www.log main;
root /usr/share/nginx/html/www;
location / {
index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
但是在测试的时候,如果不加https,他自动是不跳转的
第六个历程:实现HTTP到HTTPS跳转的访问效果
server {
listen 80;
server_name www.oldboy.com;
#rewrite ^/(.*) [https://www.oldboy.com/](https://www.oldboy.com/)$1 redirect;
return 302 https://$server_name$request_uri;
}
最终的配置文件
[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
listen 80;
server_name www.oldboy.com;
#rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.oldboy.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
access_log /var/log/nginx/access_www.log main;
root /usr/share/nginx/html/www;
location / {
index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME
$document_root$fastcgi_script_name;
include fastcgi_params;
}
}
}
至此,是单台的HTTPS的搭建与测试。
实现网站多台服务器实现HTTPS访问nginx
在负载均衡服务器上配置私钥与证书
首先配置主配置文件,具体内容如下。
[root@lb01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream web_pools {
# ip_hash;
server 10.0.0.7:443 weight=2 max_fails=3 fail_timeout=10s;
server 10.0.0.8:443 weight=1 max_fails=3 fail_timeout=10s;
}
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name www.oldboy.com;
#rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.oldboy.com;
ssl on ;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_pools;
include proxy_params;
}
}
然后将web01的私钥与证书拉过来,拉到和上面在web01一样的路径中。
[root@lb01 ~]#scp -rp 172.16.1.7:/etc/nginx/ssl_key ./
下面这个是个优化,可做可不做。
[root@lb01 ~]# cat hh.txt
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 32k;
proxy_buffering on;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;
在web上面把配置文件的跳转注释掉就OK了.
最终做完在优化一下,优化成企业的需求的类型
优化完lb01的配置文件
[root@lb01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
upstream web_pools {
# ip_hash;
server 10.0.0.7:80 weight=2 max_fails=3 fail_timeout=10s;
server 10.0.0.8:80 weight=1 max_fails=3 fail_timeout=10s;
}
#include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name www.oldboy.com;
#rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name www.oldboy.com;
ssl on ;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://web_pools;
include proxy_params;
}
}
}
优化完的web配置文件
[root@web01 ~]# cat /etc/nginx/conf.d/www.conf
server {
listen 80;
server_name www.oldboy.com;
# ssl on;
#ssl_certificate ssl_key/server.crt;
#ssl_certificate_key ssl_key/server.key;
access_log /var/log/nginx/access_www.log main;
root /usr/share/nginx/html/www;
location / {
index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
补充:
01. 后端没有配置HTTPS功能时,前端如果是HTTPS有时加载后端页面会有问题
解决方式,在后端配置文件添加上:fastcgi_param HTTPS on;