主页 > 人工智能  > 

11.Nginx进阶-HTTPS


简介 基本概述 SSL

SSL是安全套接层。 主要用于认证用户和服务器,确保数据发送到正确的客户机和服务器上。 SSL可以加密数据,防止数据中途被窃取。 SSL也可以维护数据的完整性,确保数据在传输过程中不被改变。

HTTPS

HTTPS就是基于SSL来实现的安全通信。

证书

证书用于保证密钥的合法性。 证书的主体可以是用户、服务、计算机等。 证书的格式准信X.509标准。 数字证书包含如下信息:

使用者的公钥值;使用者标识信息(如名称和电子邮件地址);有效期(证书的有效时间);颁发者表示信息;颁发者的数字签名;注意:数字证书由权威公正的第三方机构签发。 小知识 HTTPS证书的选择 专业版OV型证书,不显示企业名称高级版EV型证书,显示企业名称 HTTPS证书购买选择 通配符域名,如:*.o-learn.cn保护域名,如:www.baidu.com HTTPS注意事项 HTTPS不支持三级域名解析;HTTPS不支持续费,证书到期后需要重新申请并进行替换;HTTPS显示绿色,表示整个网站的URL都是HTTPS的;HTTPS显示黄色,表示网站中包含HTTP的不安全连接;HTTPS显示红色,表示证书过期或者证书是假的; 配置场景 应用 申请证书 私有证书 检查OpenSSL工具 检查是否安装 openssl --version 如未安装,以下命令安装 yum install openssl openssl-devel 检查nginx的ssl模块 nginx -V 2>&1 | grep ssl #with-http_ssl_module 生成密钥 创建密钥目录 mkdir -p /www/ssl_key cd /www/ssl_key 生成密钥 openssl genrsa -des3 -out wang_mingqu_com.key 1024 # Generating RSA private key, 1024 bit long modulus # ...++++++ # ..................................................................++++++ # e is 65537 (0x10001) # Enter pass phrase for https.key: 123456 # Verifying - Enter pass phrase for https.key: 123456 删除私钥的密码 openssl rsa -in wang_mingqu_com.key -out wang_mingqu_com.key # Enter pass phrase for https.key: 123456 # writing RSA key 生成证书 创建签名请求证书 openssl req -new -key wang_mingqu_com.key -out wang_mingqu_com.csr # You are about to be asked to enter information that will be incorporated # into your certificate request. # What you are about to enter is what is called a Distinguished Name or a DN. # There are quite a few fields but you can leave some blank # For some fields there will be a default value, # If you enter '.', the field will be left blank. # ----- # Country Name (2 letter code) [XX]:CN # State or Province Name (full name) []:HeNan # Locality Name (eg, city) [Default City]:ZhengZhou # Organization Name (eg, company) [Default Company Ltd]:MingQuKeJi # Organizational Unit Name (eg, section) []:YunWeiBu # Common Name (eg, your name or your server's hostname) []:wang.mingqu.com # Email Address []:15515190288@163.com # Please enter the following 'extra' attributes # to be sent with your certificate request # A challenge password []: # An optional company name []: 生成SSL证书 openssl x509 -req -days 365 -in wang_mingqu_com.csr -signkey wang_mingqu_com.key -out wang_mingqu_com.crt # Signature ok # subject=/C=CN/ST=HeNan/L=ZhengZhou/O=MingQuKeJi/OU=YunWeiBu/CN=wang.mingqu.com/emailAddress=15515190288@163.com # Getting Private key 查看证书和密钥 ll /www/ssl_key/ total 28 -rw-r--r-- 1 root root 981 Feb 26 16:36 wang_mingqu_com.crt -rw-r--r-- 1 root root 716 Feb 26 16:32 wang_mingqu_com.csr -rw-r--r-- 1 root root 887 Feb 26 16:30 wang_mingqu_com.key 公网证书 配置HTTPS 创建证书存放目录 mkdir -p /etc/nginx/ssl_key cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/ cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/ chown -R nginx:nginx /etc/nginx/ssl_key/ 编辑nginx配置文件

路径:/etc/nginx/conf.d/wangmingqu.conf

server { listen 443 ssl; server_name wang.mingqu.com; charset utf-8; #配置https证书 #ssl on; 新版本nginx中无需添加此行。 #证书的存放路径 ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt; ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key; #证书的缓存有效期 ssl_session_timeout 5m; #证书的加密算法 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #安全链接可选的加密协议 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用服务器端的首选算法 ssl_prefer_server_ciphers on; location / { root /www/wangmingqu/html; index index.html index.htm; } } #跳转HTTPS server { listen 80; server_name wang.mingqu.com; charset utf-8; #server_name:表示访问的域名,也可以使用变量$host; #server_name,跟定义的配置文件的server_name有关; #host,则是用户输入的内容; #request_uri:表示访问时域名后所有内容。 rewrite .* https://$server_name$request_uri redirect; ##写法二: #rewrite .* https://$host$request_uri redirect; ##写法三: #rewrite (.*) https://$server_name$1 redirect; } 检查配置 nginx -t systemctl reload nginx 访问测试

负载均衡HTTPS跳转 主机规划 主机名称主机IP服务k8s-master-1192.168.108.129Nginx Proxyk8s-master-2192.168.108.130Nginx Web1k8s-master-3192.168.108.131Nginx Web2 配置站点 注意

移除其他测试配置文件

cd /etc/nginx/conf.d/ rename .conf .bak *.conf web01配置 测试数据 mkdir -p /www/html/ echo "主机:192.168.108.130" > /www/html/index.html chown -R nginx:nginx /www/html 配置nginx 主配置文件

配置文件路径:/etc/nginx/nginx.conf

user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } 子配置文件

配置文件路径:/etc/nginx/conf.d/web01.conf

server { listen 443; server_name wang.mingqu.com; chartset utf-8; location / { root /www/html/; index index.html index.htm; } } 验证nginx服务 重启服务 nginx -t systemctl restart nginx 验证服务 curl -iv 127.0.0.1:443 web02配置 测试数据 mkdir -p /www/html/ echo "主机:192.168.108.131" > /www/html/index.html chown -R nginx:nginx /www/html 配置nginx 主配置文件

配置文件路径:/etc/nginx/nginx.conf

user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } 子配置文件

配置文件路径:/etc/nginx/conf.d/web02.conf

server { listen 443; server_name wang.mingqu.com; charset utf-8; location / { root /www/html/; index index.html index.htm; } } 验证nginx服务 重启服务 nginx -t systemctl restart nginx 验证服务 curl -iv 127.0.0.1:443 配置负载 注意

移除其他测试配置文件

cd /etc/nginx/conf.d/ rename .conf .bak *.conf 测试数据 mkdir -p /www/html/localhost echo "主机:192.168.108.129" > /www/html/localhost/index.html chown -R nginx:nginx /www/html 主配置文件

配置文件路径:/etc/nginx/nginx.conf

user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; rewrite_log on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; } 子配置文件

配置文件路径:/etc/nginx/conf.d/proxy.conf

upstream web { server 192.168.108.130:443; server 192.168.108.131:443; } server { listen 80; server_name wang.mingqu.com; charset utf-8; location / { proxy_pass http://web; } location /localhost { root /www/html/; index index.html index.htm; } } 验证服务 重启nginx nginx -t systemctl restart nginx 验证nginx 负载均衡本地服务

负载均衡后端服务

HTTPS跳转配置 证书文件 mkdir -p /etc/nginx/ssl_key cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/ cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/ chown -R nginx:nginx /etc/nginx/ssl_key/ 配置文件调整 upstream web { server 192.168.108.130:443; server 192.168.108.131:443; } server { listen 443 ssl; server_name wang.mingqu.com; charset utf-8; #配置https证书 #ssl on; 新版本nginx中无需添加此行。 #证书的存放路径 ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt; ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key; #证书的缓存有效期 ssl_session_timeout 5m; #证书的加密算法 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #安全链接可选的加密协议 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用服务器端的首选算法 ssl_prefer_server_ciphers on; location / { proxy_pass http://web; include proxy_params; } } #跳转HTTPS server { listen 80; server_name wang.mingqu.com; charset utf-8; #server_name:表示访问的域名,也可以使用变量$host; #server_name,跟定义的配置文件的server_name有关; #host,则是用户输入的内容; #request_uri:表示访问时域名后所有内容。 rewrite .* https://$server_name$request_uri redirect; ##写法二: #rewrite .* https://$host$request_uri redirect; ##写法三: #rewrite (.*) https://$server_name$1 redirect; } 测试HTTPS跳转

标签:

11.Nginx进阶-HTTPS由讯客互联人工智能栏目发布,感谢您对讯客互联的认可,以及对我们原创作品以及文章的青睐,非常欢迎各位朋友分享到个人网站或者朋友圈,但转载请说明文章出处“11.Nginx进阶-HTTPS

上一篇
TopazVideoAI:一键提升视频品质,智能重塑影像魅力

下一篇
Backend-日志记录

推荐文章