11 實現單臺和全站HTTPS
阿新 • • 發佈:2021-11-02
單臺HTTPS配置
1.檢查nginx
[root@web01 ~]# nginx -V
--with-http_ssl_module
2.建立證書存放目錄
[root@web02 ~]# mkdir /etc/nginx/ssl_key
[root@web02 nginx]# cd /etc/nginx/ssl_key
3.造假證書
1)生成私鑰
#使用openssl命令充當CA權威機構建立證書(生產不使用此方式生成證書,不被網際網路認可的黑戶證書)
[root@web02 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
....+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
2)生成公鑰
#生成自簽證書(公鑰),同時去掉私鑰的密碼
[root@web02 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................................+++
............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:meiguo
Locality Name (eg, city) [Default City]:riben
Organization Name (eg, company) [Default Company Ltd]:heishoudang
Organizational Unit Name (eg, section) []:oldboy
Common Name (eg, your name or your server's hostname) []:oldboy
Email Address []:[email protected]
# req --> 用於建立新的證書
# new --> 表示建立的是新證書
# x509 --> 表示定義證書的格式為標準格式
# key --> 表示呼叫的私鑰檔案資訊
# out --> 表示輸出證書檔案資訊
# days --> 表示證書的有效期
# sha256 --> 加密方式
3)檢視生成的證書
[root@web02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1220 Nov 1 17:31 server.crt
-rw-r--r-- 1 root root 1704 Nov 1 17:31 server.key
4.配置證書語法
#1.開啟證書
Syntax: ssl on | off;
Default: ssl off;
Context: http, server
#2.指定證書檔案
Syntax: ssl_certificate file;
Default: —
Context: http, server
#3.指定私鑰檔案
Syntax: ssl_certificate_key file;
Default: —
Context: http, server
5.配置nginx證書
[root@web02 nginx]# cd /etc/nginx/conf.d
[root@web02 conf.d]# vim game.conf
server {
server_name game.test.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /usr/share/nginx/html5-mario;
index index.html;
}
}
[root@web02 nginx]# nginx-t
[root@web02 nginx]# systemctl restart nginx
瀏覽器訪問:https://192.168.15.8 (注意:必須加https://,出現下面的頁面點高階)
6.配置hosts訪問
192.168.15.8 game.test.com
測試:https://game.test.com
實現全站HTTPS(實際就是負載均衡實現HTTPS)
lb01配置
1.建立證書存放目錄
[root@lb01 nginx]# mkdir ssl_key
[root@lb01 nginx]# cd ssl_key/
2.生成私鑰
[root@lb01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
....................................................................................+++
writing new private key to 'server.key'
3.生成公鑰
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
....................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:chn
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CM^H^H^H
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:qingpu
Organization Name (eg, company) [Default Company Ltd]:python&& ^H
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:htt
Email Address []:[email protected]
4.#檢視
[root@lb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1367 Nov 1 19:37 server.crt
-rw-r--r-- 1 root root 1708 Nov 1 19:37 server.key
5.配置nginx證書
[root@lb01 conf.d]# vim /etc/nginx/conf.d/game.conf
upstream game {
server 172.16.1.8:80;
server 172.16.1.7:80;
server 172.16.1.9:80;
}
server{
server_name game.test.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://game;
include proxy_params;
}
}
6. 測試並重啟nginx
[root@lb01 conf.d]# nginx -t
[root@lb01 conf.d]# systemctl restart nginx
web02配置
注意:web伺服器配置
[root@web02 conf.d]# vim /etc/nginx/conf.d/game.conf
server {
server_name game.test.com;
listen 80;
# ssl_certificate /etc/nginx/ssl_key/server.crt;
# ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /usr/share/nginx/html5-mario;
index index.html;
}
}
重啟nginx
[root@web02 conf.d]# systemctl restart nginx
最後測試:
https://192.168.15.5/demo.html
實現https自動跳轉
當我們在瀏覽器輸入http時,我們希望自動跳轉到https
lb01配置
[root@lb01 conf.d]# vim game.conf
upstream game { server 172.16.1.8:80; server 172.16.1.7:80; server 172.16.1.9:80; } server { listen 80; server_name game.test.com; return 302 https://game.test.com;}
server{ server_name game.test.com; listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://game;
include proxy_params;
} }
重新啟動nginx
[root@lb01 conf.d]# systemctl restart nginx
修改windows的hosts檔案並測試
192.168.15.5 game.test.com
測試 輸入http://192.168.15.5自動跳轉到https://game.test.com