avatar

16.HTTPS域名证书

HTTPS域名证书

第1章 HTTPS 安全证书基本概述

为什么需要使用HTTPS, 因为HTTP 不安全。当我们使用http 网站时,经常会遇到包遭到劫持和篡改,如果采用https 协议,那么数据在传输过程中是加密的,所以黑客无法窃取或者篡改数据报文信息。
https 主要解决了什么问题,避免网站传输时信息泄露,避免网站传输时内容不被劫持和篡改。
下面我们来了解一下HTTPS 证书类型

HTTPS 证书购买选择:

1
2
3
单个域名      www
多个域名 www images cdn test m
通配符域名 *.oldboy.com # 只支持二级域名

HTTPS 注意事项

Https 不支持续费,证书到期需重新申请新并进行替换.
Https 如果是通配符域名,二级域名和三级域名需要分别购买,如test.m.oldboy.com
Https 显示绿色, 说明整个网站的URL 都是https 的。
Https 显示黄色, 因为网站代码中包含http的不安全连接。
Https 显示红色, 要么证书是假的,要么证书过期

第2章 Nginx 单台实现HTTPS 实战

1.环境准备:

主机名 IP地址 说明
web01-7 10.0.1.7 nginx+php+ssl
1
2
3
4
5
6
7
#nginx 必须有ssl 模块
[root@web01 ~]# nginx -V
--with-http_ssl_module

#创建存放ssl 证书的路径
[root@web01 ~]# cd /etc/nginx/ssl_key
[root@web01 /etc/nginx/ssl_key]#

2.生成证书:

使用openssl 命令充当CA 权威机构创建证书(生产不使用此方式生成证书,因为不会被互联网认可)

1
2
3
4
5
6
7
8
[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
... +++
e is 65537 (0x10001)

#记住配置密码, 我这里是1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

3.生成自签证书,同时去掉私钥的密码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@web01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
..........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SZ
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:oldboy
Organizational Unit Name (eg, section) []:oldboy
Common Name (eg, your name or your server's hostname) []:SA
Email Address []:wufei008@qq.com

# req -->用于创建新的证书
# new -->表示创建的是新证书
# x509 -->表示定义证书的格式为标准格式
# key -->表示调用的私钥文件信息
# out -->表示输出证书文件信息
# days -->表示证书的有效期

4.证书申请完成后需要了解Nginx 如何配置Https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
#是否开始ssl 支持
Syntax: ssl on | off;
Default: ssl off;
Context: http, server

#ssl crt 文件存放位置
Syntax: ssl_certificate file;
Default: —
Context: http, server

#ssl key 文件存放位置
Syntax: ssl_certificate_key file;
Default: —
Context: http, server

5.配置Nginx 配置Https 实例:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@web01 /etc/nginx/conf.d]# cat 01-www.conf 
server {

listen 8080;
server_name www.oldboy.com;
access_log /var/log/nginx/www.access.log main;
location / {
root /code/www;
index index.html index.htm;
charset utf-8,gbk;
}
}

server {

listen 443 ssl;
server_name www.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
access_log /var/log/nginx/www.access.log main;
location / {
root /code/www;
index index.html index.htm;
charset utf-8,gbk;
}
}
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/ssl.conf:4
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
#有个报警提示,告诉我们需要使用listen ... ssl这样的格式

6.浏览器输入https://www.oldboy.com访问, 由于该证书非第三方权威机构颁发,而是我们自己签发的,所以浏览器会警告

7.以上配置如果用户忘记在浏览器地址栏输入https:// 那么将不会跳转至https,建议配置将用户访问http 请求强制跳转https

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@web01 /etc/nginx/conf.d]# cat 01-www.conf 
server {

listen 80;
server_name www.oldboy.com;
access_log /var/log/nginx/www.access.log main;
#rewrite 跳转方式
rewrite ^(.*) https://$server_name$1 redirect;
#return 跳转方式
#return 302 https://$server_name$request_uri;
location / {
root /code/www;
index index.html index.htm;
charset utf-8,gbk;
}
}

server {

listen 443 ssl;
server_name www.oldboy.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
access_log /var/log/nginx/www.access.log main;
location / {
root /code/www;
index index.html index.htm;
charset utf-8,gbk;
}
}

第3章 Nginx 集群实现HTTPS 实践

实战Nginx 负载均衡+Nginx WEB 配置HTTPS 安全

1.环境准备

主机名 外网IP 内网IP 说明
lb01-5 eth0: 10.0.1.5 VIP: 10.0.1.3 eth1: 172.16.1.5 nginx-proxy-ssl
web01-7 eth0: 10.0.1.7 eth1: 172.16.1.7 nginx-web01
web02-8 eth0: 10.0.1.8 eth1: 172.16.1.8 nginx-web02

2.配置后端两台web 节点监听80 端口, 如已配置则无需修改

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
[root@web01 /etc/nginx/conf.d]# cat wordpress.conf 
server {
listen 80;
server_name blog.oldboy.com;
root /code/wordpress;
index index.php index.html;
#rewrite 跳转方式
rewrite ^(.*) https://$server_name$1 redirect;
#return 跳转方式
#return 302 https://$server_name$request_uri;


location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param HTTPS on; #wordpress的https生效
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

3.启动两台后端web 节点Nginx

1
2
[root@web01 ~]# systemctl start nginx
[root@web02 ~]# systemctl start nginx

4.lb01负载均衡先生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[root@lb01 ~]# mkdir /etc/nginx/ssl/ssh_key -p
[root@lb01 ~]# mkdir /etc/nginx/ssl_key -p
[root@lb01 ~]# cd /etc/nginx/ssl_key/
[root@lb01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
[root@lb01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
..........+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SZ
Locality Name (eg, city) [Default City]:SZ
Organization Name (eg, company) [Default Company Ltd]:oldboy
Organizational Unit Name (eg, section) []:oldboy
Common Name (eg, your name or your server's hostname) []:SA
Email Address []:wufei008@qq.com

5.lb01负载均衡配置文件如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
[root@lb01-5 /etc/nginx/conf.d]# cat 01-www.conf
# 定义后端资源池
upstream server_pools {
server 172.16.1.7:80;
server 172.16.1.8:80;
server 172.16.1.9:80;
}
upstream zh_pools {
server 172.16.1.7:80;
server 172.16.1.8:80;
server 172.16.1.9:80;
}

#用户http请求跳转至https
server {
listen 80;
server_name blog.oldboy.com;
access_log /var/log/nginx/access.log main;
#rewrite ^(.*) https://$server_name$1 redirect;
#return 跳转方式
return 302 https://$server_name$request_uri;

location / {
proxy_pass http://server_pools;
include proxy_params;
}
}
#https配置
server {
listen 443 ssl;
server_name blog.oldboy.com;
access_log /var/log/nginx/access.log main;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://server_pools;
include proxy_params;
}
}

server {
listen 80;
server_name zh.oldboy.com;
access_log /var/log/nginx/access.log main;
#rewrite ^(.*) https://$server_name$1 redirect;
#return 跳转方式
return 302 https://$server_name$request_uri;

location / {
proxy_pass http://zh_pools;
include proxy_params;
}
}
#https配置
server {
listen 443 ssl;
server_name zh.oldboy.com;
access_log /var/log/nginx/access.log main;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://zh_pools;
include proxy_params;
}
}

7.重启Nginx 负载均衡

1
2
3
4
[root@lb01-5 /etc/nginx/conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb01-5 /etc/nginx/conf.d]# systemctl reload nginx

8.wordpress和wecenter配置https

wordpress后台配置:

注意:wordpress要使用https生效,后台源wordpress配置文件必须增加一条命令

1
2
3
4
5
location ~ \.php$ {
...
fastcgi_param HTTPS on;
...
}

wecenter在后台配置:

文章作者: Wu Fei
文章链接: http://linuxwf.com/2020/04/13/16-HTTPS%E5%9F%9F%E5%90%8D%E8%AF%81%E4%B9%A6/
版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 WF's Blog
打赏
  • 微信
    微信
  • 支付宝
    支付宝

评论