实战Nginx配置https证书

实战Nginx配置https证书

第一章 HTTPS介绍

1.为什么需要https

为什么需要使用HTTPS, 因为HTTP不安全。当我们使用http网站时,经常会遇到包遭到劫持和篡改,如果采用https协议,那么数据在传输过程中是加密的,所以黑客无法窃取或者篡改数据报文信息。

第二章 HTTPS购买以及注意事项

1.购买平台

各大云厂商

2.国际常见的证书颁发机构

GlobalSign
DigiCert
GeoTrust

2.证书类型

OV
EV
DV
免费

3.域名类型

单域名证书    www.mysun.com 
多域名证书    www.mysun.com  bbs.mysun.com blog.mysun.com 
通配符域名    *.mysun.com 	

4.域名证书购买注意

1.一个通配符证书只支持2级域名
2.域名证书最多只能买2年,不支持续费,到期只能买新的
3.域名证书到期后浏览器会提示不安全警告
4.微信小程序必须要求配置https,不然审核不通过
5.提前买
1.熟悉架构
2.统计需要付费的服务
	域名
	DNS
	CDN
	域名证书(https)
3.提前买
	至少提前2个月买

5.工作中选择域名的过程

1.先收集好所有的域名
2.过滤分析一共有几种类型的域名(sed后向引用)
  *.www.mysun.com
  *.mysun.com

第三章 简单nginx配置https

1.检查Nginx是否有SSL模块

nginx -V 

--with-http_ssl_module

2.创建证书目录并生成证书

mkdir /etc/nginx/ssl_key 
cd /etc/nginx/ssl_key
openssl genrsa -idea -out server.key 2048

3.生成自签证书,同时去掉私钥的密码

openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
CN
SH
SH 
mysun
SA
mysun
mysun@qq.com 

4.创建nginx配置文件

cat >/etc/nginx/conf.d/ssl.conf <<EOF
server {
    listen 443 ssl;
    server_name ssl.mysun.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
        root /code;
        index index.html;
    }
}
EOF

5.测试重启Nginx

nginx -t 
systemctl restart nginx 

6.写入测试文件

echo "$(hostname) SSL" > /code/index.html

7.访问测试

[root@web01 /etc/nginx/conf.d]# cat ssl.conf 
server {
    listen 80;
    server_name ssl.mysun.com;
    rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name ssl.mysun.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
        root /code;
        index index.html;
    }
}

第四章 强制http跳转到https

1.配置nginx配置文件

[root@web01 /etc/nginx/conf.d]# cat ssl.conf 
server {
    listen 80;
    server_name ssl.mysun.com;
    rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name ssl.mysun.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
        root /code;
        index index.html;
    }
}

第五章 Nginx集群配置https

1.复制已经创建好的证书到其他的web服务器

cd /etc/nginx/ 
scp -r ssl_key 10.0.0.8:/etc/nginx/
scp -r conf.d/ssl.conf 10.0.0.8:/etc/nginx/conf.d/
echo "$(hostname) SSL" > /code/index.html

2.复制已经创建好的证书到lb服务器

cd /etc/nginx/ 
scp -r ssl_key 10.0.0.5:/etc/nginx/

3.第一种情况:

lb服务器http强制跳转https

lb服务器配置:

[root@lb01 /etc/nginx/conf.d]# cat ssl.conf 
upstream ssl_pools {
   server 172.16.1.7:443;
   server 172.16.1.8:443;
}

server {
   listen 80;
   server_name  ssl.oldboy.com ;
   rewrite ^(.*) https://$server_name$1 redirect;
   # 或者
   return 302 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name ssl.oldboy.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
      proxy_pass  https://ssl_pools;
      include proxy_params;
    }
}

web服务器配置:

[root@web02 /etc/nginx/conf.d]# cat ssl.conf 
server {
    listen 443 ssl;
    server_name ssl.oldboy.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
        root /code;
        index index.html;
    }
}
上述情况不合理,原因是web处在集群内网,与负载通信没必要加密了。

4.第二种情况:

lb服务器负责https加解密,后端web服务器还是80端口
1.lb服务器配置

[root@lb01 ~]# cat /etc/nginx/conf.d/ssl.conf 
upstream ssl_pools {
   server 172.16.1.7;
   server 172.16.1.8;
}

server {
   listen 80;
   server_name  ssl.oldboy.com ;
   rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name ssl.oldboy.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
      proxy_pass  http://ssl_pools;
      include proxy_params;
    }
}

2.web服务器配置

[root@web01 /etc/nginx/conf.d]# cat ssl.conf 
server {
    listen 80;
    server_name ssl.oldboy.com;
    location / {
        root /code;
        index index.html;
    }
}

第五章 wordpress配置https

lb服务器配置

1.配置nginx配置文件

[root@lb01 ~]# cat /etc/nginx/conf.d/ssl.conf 
upstream ssl_pools {
   server 172.16.1.7;
   server 172.16.1.8;
}

server {
   listen 80;
   server_name  blog.mysun.com;
   rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name blog.mysun.com;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    location / {
      proxy_pass  http://ssl_pools;
      include proxy_params;
    }
}

web服务器配置:
2台web服务器都需要配置

1.配置fastcgi的https相关参数

echo "fastcgi_param  HTTPS on;" >> /etc/nginx/fastcgi_params

3.web服务器nginx配置

[root@web01 ~]# cat /etc/nginx/conf.d/blog.conf 
server {
    listen 80;
    server_name blog.mysun.com;
    root /code/wordpress;
    index index.php index.html;

    location ~ \.php$ {
        root /code/wordpress;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

4.重启nginx

nginx -t 
systemctl restart nginx