nginx实现https
https作用
- 数据加密传输
- 在OSI模型中处于表示层,加密/解密
证书申请流程
证书类型
| 对比 |
域名型DV |
企业型OV |
增强型EV |
| 地址栏 |
锁标记+绿色https |
锁标记+绿色https |
锁标记+绿色https+企业名称(logo) |
| 用途 |
个人网站 |
电子商务网站、中小企业 |
大型金融平台,大公司,政府机构 |
| 审核内容 |
域名所有权验证 |
全面的企业身份验证;域名所有权验证 |
最高等级的企业身份验证,域名所有权验证 |
| 颁发时长 |
不到十分钟 |
3-5个工作日 |
5-7个工作日 |
| 首次申请/年限 |
一年 |
1-2年 |
1-2年 |
| 赔付保证金 |
-- |
125-172美金 |
150-175美金 |
证书购买
- 单域名
- 混合域名
- 多个域名都可以使用该证书
- www.wsh.com www.baicai.com##
- 泛域名
- 通配符域名证书
- *.driverzeng.com
- www.driverzeng.com
- blog.driverzeng.com
- pikachu.driverzeng.com
- devops.driverzeng.com
- ***.driverzeng.com
https注意事项
- 证书过期,无法续费
- 三级域名无法使用https
- 注意证书的颜色
- 绿色:全站的url都是https加密的
- 红色:假证书或证书过期
- 黄色:并非全站的url都是https加密
模拟单台nginx实现https
## 编辑nginx配置文件
[root@web02 ~]# vim /etc/nginx/conf.d/test.conf
server {
listen 80;
server_name test.wsh.com;
root /code/test;
index index.html;
}
## 重启nginx
[root@web02 ~]# nginx -t
[root@web02 ~]# systemctl restart nginx
## 创建站点目录
[root@web02 ~]# mkdir -p /code/test
## 部署代码
[root@web02 ~]# echo 'This test' > /code/test/index.html
## 域名解析
10.0.0.8 test.wsh.com
## 访问浏览器
test.wsh.com
跟CA机构申请证书
## CA机构创建证书
[root@web02 ~]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.................................................................+++
...............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@web02 ~]# ll
total 12
-rw-------. 1 root root 1604 May 12 19:22 anaconda-ks.cfg
-rw-r--r-- 1 root root 204 May 13 00:36 host_ip.sh
-rw-r--r-- 1 root root 1747 Jun 22 15:27 server.key
## 跟CA机构填写个人信息,签发证书
[root@web02 ~]# openssl req -days 3650 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
............................................................................+++
.................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
## 国家代码,简写,2个字符
Country Name (2 letter code) [XX]:CN
## 所在省
State or Province Name (full name) []:shanghai
## 城市名字
Locality Name (eg, city) [Default City]:shanghai
## 公司名字
Organization Name (eg, company) [Default Company Ltd]:oldboy
## 公司名字
Organizational Unit Name (eg, section) []:oldboy
域名
Common Name (eg, your name or your server's hostname) []:test.wsh.com
## 邮箱
Email Address []:111@qq.com
## 查看所有证书文件
[root@web02 ~]# ll
total 16
-rw-------. 1 root root 1604 May 12 19:22 anaconda-ks.cfg
-rw-r--r-- 1 root root 204 May 13 00:36 host_ip.sh
-rw-r--r-- 1 root root 1106 Jun 22 15:31 server.crt
-rw-r--r-- 1 root root 1704 Jun 22 15:31 server.key
修改nginx配置文件
## 创建证书存放的目录
[root@web02 ~]# mkdir -p /etc/nginx/ssl
[root@web02 ~]# mv server.* /etc/nginx/ssl/
## 配置nginx证书
[root@web02 ~]# vim /etc/nginx/conf.d/test.conf
server {
listen 443 ssl;
server_name test.wsh.com;
root /code/test;
index index.html;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
}
## 重启nginx
[root@web02 ~]# nginx -t
[root@web02 ~]# systemctl restart nginx
## 访问浏览器
使用rewrite协议跳转
## 80强制跳转443
[root@web02 ~]# vim /etc/nginx/conf.d/test.conf
server {
listen 80;
server_name test.wsh.com;
rewrite (.*) https://test.wsh.com$1 redirect;
}
server {
listen 443 ssl;
server_name test.wsh.com;
root /code/test;
index index.html;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
}
[root@web02 ~]# nginx -t
[root@web02 ~]# systemctl restart nginx
## 访问浏览器
给wordpress博客加证书
## 生成证书
[root@web02 ~]# openssl genrsa -idea -out 20220622_blog.wsh.com.key 2048
[root@web02 ~]# openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout 20220622_blog.wsh.com.key -out 20220622_blog.wsh.com.pem
## 创建证书存放目录
[root@web02 ~]# mkdir -p /etc/nginx/ssl/
[root@web02 ~]# mv 20220622_blog.wsh.com.key /etc/nginx/ssl/
[root@web02 ~]# mv 20220622_blog.wsh.com.pem /etc/nginx/ssl/
## 配置nginx文件
[root@web02 ~]# vim /etc/nginx/conf.d/blog.wsh.com.conf
server{
listen 80;
server_name blog.wsh.com;
rewrite (.*) https://blog.wsh.com$1 redirect;
}
server{
listen 443 ssl;
server_name blog.wsh.com;
root /blog/wordpress;
index index.php index.html;
ssl_certificate ssl/20220622_blog.wsh.com.pem;
ssl_certificate_key ssl/20220622_blog.wsh.com.key;
location \ {
if ( -f $request_filename/index.html ){
rewrite (.*) $1/index.html break;
}
if ( -f $request_filename/index.php ){
rewrite (.*) $1/index.php;
}
if ( !-f $request_filename ){
rewrite (.*) /index.php;
}
}
location ~ \.php$ {
fastcgi_pass unix:/opt/shm/php.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
## 重启nginx
[root@web02 ~]# nginx -t
[root@web02 ~]# systemctl restart nginx
解决php破图现象
[root@web02 ~]# cat /etc/nginx/conf.d/blog.wsh.com.conf
server{
listen 80;
server_name blog.wsh.com;
rewrite (.*) https://blog.wsh.com$1 redirect;
}
server{
listen 443 ssl;
server_name blog.wsh.com;
root /blog/wordpress;
index index.php index.html;
ssl_certificate ssl/20220622_blog.wsh.com.pem;
ssl_certificate_key ssl/20220622_blog.wsh.com.key;
location / {
if ( -f $request_filename/index.html ){
rewrite (.*) $1/index.html break;
}
if ( -f $request_filename/index.php ){
rewrite (.*) $1/index.php;
}
if ( !-f $request_filename ){
rewrite (.*) /index.php;
}
}
location ~ \.php$ {
fastcgi_pass unix:/opt/shm/php.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
## 让nginx访问php时,也要使用https
fastcgi_param HTTPS on;
include fastcgi_params;
}
多台nginx配置ssl证书
## 负载均衡配置证书
[root@lb01 ~]# vim /etc/nginx/conf.d/test.wsh.com_proxy.conf
upstream test_wsh_com {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name test.zls.com;
rewrite (.*) https://test.zls.com$1 redirect;
}
server {
listen 443 ssl;
server_name test.wsh.com;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接,在session_timeout时间内再次连接,是不需要再次获取公钥建立握手的,可以服用之前的连接
ssl_session_timeout 1440m; #ssl连接断开后的超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套接协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #使用TLS版本协议
ssl_prefer_server_ciphers on; #nginx决定使用哪些协议与浏览器通信
location /{
proxy_pass http://test_wsh_com;
include proxy_wsh;
}
}
## 创建证书存放目录
[root@lb01 ~]# mkdir -p /etc/nginx/ssl
## 将证书放在负载均衡服务器的/etc/nginx/ssl
[root@web02 ssl]# scp server.* 172.16.1.5:/etc/nginx/ssl/
## web01和web02配置
[root@web02 ssl]# vim /etc/nginx/conf.d/test.conf
server {
listen 80;
server_name test.wsh.com;
root /code/test;
index index.html;
}
[root@web01 ~]# vim /etc/nginx/conf.d/test.conf
server {
listen 80;
server_name test.wsh.com;
root /code/test;
index index.html;
}
## 重启nginx
[root@web01 ~]# nginx -t
[root@web01 ~]# systemctl restart nginx
[root@web02 ~]# nginx -t
[root@web02 ~]# systemctl restart nginx
