第一章 HTTPS 安全證書基本概述
為什么需要使用HTTPS, 因?yàn)镠TTP 不安全回梧。當(dāng)我們使用http 網(wǎng)站時(shí)购对,經(jīng)常會(huì)遇到包遭到劫持和篡改赛糟,如果采用https 協(xié)議,那么數(shù)據(jù)在傳輸過(guò)程中是加密的,所以黑客無(wú)法竊取或者篡改數(shù)據(jù)報(bào)文信息翎蹈。
https 主要解決了什么問題,避免網(wǎng)站傳輸時(shí)信息泄露,避免網(wǎng)站傳輸時(shí)內(nèi)容不被劫持和篡改蘸鲸。
下面我們來(lái)了解一下HTTPS 證書類型
HTTPS 證書購(gòu)買選擇
保護(hù)1 個(gè)域名www
保護(hù)5 個(gè)域名www images cdn test m
通配符域名 *.oldboy.com
HTTPS 注意事項(xiàng)
Https 不支持續(xù)費(fèi),證書到期需重新申請(qǐng)新并進(jìn)行替換.
Https 如果是通配符域名,二級(jí)域名和三級(jí)域名需要分別購(gòu)買起便,如test.m.oldboy.com
Https 顯示綠色, 說(shuō)明整個(gè)網(wǎng)站的URL 都是https 的棚贾。
Https 顯示黃色, 因?yàn)榫W(wǎng)站代碼中包含http的不安全連接。
Https 顯示紅色, 要么證書是假的榆综,要么證書過(guò)期
第二章 Nginx 單臺(tái)實(shí)現(xiàn)HTTPS 實(shí)戰(zhàn)
1.環(huán)境準(zhǔn)備
#nginx 必須有ssl 模塊
[root@web01 ~]# nginx -V
--with-http_ssl_module
#創(chuàng)建存放ssl 證書的路徑
[root@web01 ~]# cd /etc/nginx/ssl_key
[root@web01 /etc/nginx/ssl_key]#
2.使用openssl 命令充當(dāng)CA 權(quán)威機(jī)構(gòu)創(chuàng)建證書(生產(chǎn)不使用此方式生成證書妙痹,因?yàn)椴粫?huì)被互聯(lián)網(wǎng)認(rèn)可)
[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
... +++
e is 65537 (0x10001)
#記住配置密碼, 我這里是1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
3.生成自簽證書,同時(shí)去掉私鑰的密碼
[root@web01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:edu
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:oldboy
Email Address []:[oldboy@oldboy.com](mailto:oldboy@oldboy.com)
# req -->用于創(chuàng)建新的證書
# new -->表示創(chuàng)建的是新證書
# x509 -->表示定義證書的格式為標(biāo)準(zhǔn)格式
# key -->表示調(diào)用的私鑰文件信息
# out -->表示輸出證書文件信息
# days -->表示證書的有效期
4.證書申請(qǐng)完成后需要了解Nginx 如何配置Https
#是否開始ssl 支持
Syntax: ssl on | off;
Default: ssl off;
Context: http, server
#ssl crt 文件存放位置
Syntax: ssl_certificate file;
Default: —
Context: http, server
#ssl key 文件存放位置
Syntax: ssl_certificate_key file;
Default: —
Context: http, server
5.配置Nginx 配置Https 實(shí)例
[root@web01 ~]# cat /etc/nginx/conf.d/ssl.conf
server {
listen 443;
server_name s.oldboy.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
#準(zhǔn)備對(duì)應(yīng)的站點(diǎn)目錄, 并重啟 Nginx 服務(wù)
[root@web01 ~]# mkdir -p /code
[root@web01 ~]# echo "Https" > /code/index.html
[root@web01 ~]# nginx -t
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/ssl.conf:4
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
#有個(gè)報(bào)警提示鼻疮,告訴我們需要使用listen ... ssl這樣的格式
[root@web01 ~]# cat /etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl;
server_name s.oldboy.com;
#ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
#再次檢查就沒有問題了
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl restart nginx
6.瀏覽器輸入https://s.oldboy.com 訪問, 由于該證書非第三方權(quán)威機(jī)構(gòu)頒發(fā)怯伊,而是我們自己簽發(fā)的,所以瀏覽器會(huì)警告
7.以上配置如果用戶忘記在瀏覽器地址欄輸入https:// 那么將不會(huì)跳轉(zhuǎn)至https判沟,建議配置將用戶訪問http 請(qǐng)求強(qiáng)制跳轉(zhuǎn)https
[root@web01 ~]# cat /etc/nginx/conf.d/ssl.conf
server {
listen 443 ssl;
server_name s.oldboy.com;
#ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
server {
listen 80;
server_name s.oldboy.com;
#rewrite 跳轉(zhuǎn)方式
rewrite ^(.*) https://$server_name$1 redirect;
#return 跳轉(zhuǎn)方式
#return 302 https://$server_name$request_uri;
}
第三章 Nginx 集群實(shí)現(xiàn)HTTPS 實(shí)踐
實(shí)戰(zhàn)Nginx 負(fù)載均衡+Nginx WEB 配置HTTPS 安全
1.環(huán)境準(zhǔn)備
主機(jī)名 | 外網(wǎng)IP(NAT) | 內(nèi)網(wǎng)IP(LAN) | 角色 |
---|---|---|---|
lb01 | eth0:10.0.0.5 | eth1:172.16.1.5 | nginx-proxy |
web01 | eth0:10.0.0.7 | eth1:172.16.1.7 | nginx-web01 |
web02 | eth0:10.0.0.8 | eth1:172.16.1.8 | nginx-web02 |
2.配置后端兩臺(tái)web 節(jié)點(diǎn)監(jiān)聽80 端口, 如已配置則無(wú)需修改
[root@web01 ~]# cat /etc/nginx/conf.d/blog.conf
server {
listen 80;
server_name blog.oldboy.com;
root /code/wordpress;
index index.php index.html;
location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
3.配置第二臺(tái)WEB節(jié)點(diǎn)
[root@web01 ~]# scp -rp /etc/nginx/ssl_key/ root@172.16.1.8:/etc/nginx/
[root@web01 ~]# scp -rp /etc/nginx/conf.d/ root@172.16.1.8:/etc/nginx/
4.重啟兩臺(tái)后端web 節(jié)點(diǎn)Nginx
[root@web01 ~]# systemctl restart nginx
[root@web02 ~]# systemctl restart nginx
5.Nginx 負(fù)載均衡先生成證書
[root@lb01 ~]# mkdir /etc/nginx/ssl/ssh_key -p
[root@lb01 ~]# mkdir /etc/nginx/ssl_key -p
[root@lb01 ~]# cd /etc/nginx/ssl_key/
[root@lb01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
[root@lb01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:edu
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:oldboy
Email Address []:[oldboy@oldboy.com](mailto:oldboy@oldboy.com)
6.Nginx 負(fù)載均衡配置文件如下
[root@lb01 ~]# cat /etc/nginx/conf.d/proxy.conf
# 定義后端資源池
upstream site {
server 172.16.1.7:80 max_fails=2 fail_timeout=10s;
server 172.16.1.8:80 max_fails=2 fail_timeout=10s;
}
#https配置
server {
listen 443 ssl;
server_name blog.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://site;
include proxy_params;
}
}
#用戶http請(qǐng)求跳轉(zhuǎn)至https
server {
listen 80;
server_name blog.oldboy.com;
return 302 https://$server_name$request_uri;
}
7.重啟Nginx 負(fù)載均衡
[root@lb01 ~]# nginx -t
[root@lb01 ~]# systemctl restart nginx
8.配置代理和nginx服務(wù)都是https
proxy_params配置
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
反向代理配置文件
# 定義后端資源池
upstream site {
server 172.16.1.7:80 max_fails=2 fail_timeout=10s;
server 172.16.1.8:80 max_fails=2 fail_timeout=10s;
}
upstream ssl {
server 172.16.1.7:443 max_fails=2 fail_timeout=10s;
server 172.16.1.8:443 max_fails=2 fail_timeout=10s;
}
#https配置
server {
listen 443 ssl;
server_name s.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://ssl;
include proxy_params;
}
}
#用戶http請(qǐng)求跳轉(zhuǎn)至https
server {
listen 80;
server_name s.oldboy.com;
return 302 https://$server_name$request_uri;
}
nginx配置文件
server {
listen 443 ssl;
server_name s.oldboy.com;
#ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
9.wordpress和wecenter配置https
wecenter在后臺(tái)配置:
wordpress除了后臺(tái)配置以外還需要在nginx配置文件里添加php-fastcgi解析的參數(shù)
location ~ \.php$ {
...
fastcgi_param HTTPS on;
...
}
作者:張亞_7868
鏈接:http://www.reibang.com/p/70d58411e309
來(lái)源:簡(jiǎn)書
著作權(quán)歸作者所有耿芹。商業(yè)轉(zhuǎn)載請(qǐng)聯(lián)系作者獲得授權(quán)崭篡,非商業(yè)轉(zhuǎn)載請(qǐng)注明出處。