nginx +location + https
阿新 • • 發佈:2018-05-08
nginx CA 虛擬主機 location https wget http://nginx.org/packages/rhel/6/x86_64/RPMS/nginx-1.14.0-1.el6.ngx.x86_64.rpm (下載nginxRPM管理包)
rpm -ivh nginx-1.14.0-1.el6.ngx.x86_64.rpm (安裝nginx)
rpm -ivh nginx-1.14.0-1.el6.ngx.x86_64.rpm (安裝nginx)
開始實驗:
/etc/nginx/ ├── conf.d (拓展文件) │?? ├── abc.conf │?? ├── default.conf │?? ├── efg.conf │?? └── error.conf ├── fastcgi_params ├── koi-utf ├── koi-win ├── mime.types ├── modules -> ../../usr/lib64/nginx/modules ├── nginx.conf (主配文件) ├── scgi_params ├── uwsgi_params └── win-utf /usr/share/nginx/html/ (數據文件) ├── 50x.html ├── abc │?? └── index.html ├── efg │?? └── index.html ├── error │?? └── index.html └── index.html
**# 基於虛擬主機的兩個網站** [root@localhost conf.d]# cat abc.conf efg.conf server { listen 80; server_name www.abc.com; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html/abc; index index.html index.htm; } } server { listen 80; server_name www.efg.com; #charset koi8-r; #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html/efg; index index.html index.htm; } } [root@localhost nginx]# vim nginx.conf include /etc/nginx/conf.d/*.conf; charset utf-8; (如果出現web訪問顯示中文亂碼,寫上這條,重啟nginx) }
訪問abc和efg都沒問題,但是要是沒xyz的對應虛擬主機(默認顯示ASCII順序顯示第一個虛擬主機)這裏我們單獨給他一個錯誤回顯,看下圖:
(這個錯誤頁面怎麽配置?)
[root@localhost conf.d]# vim error.conf server { listen 80 default; (只要找不到虛擬主機一律去error下面找) #access_log /var/log/nginx/host.access.log main; location / { root /usr/share/nginx/html/error; (配置文件) index index.html index.htm; } }
location 匹配字段(針對URL的路徑部分,可以與正則配合使用)
[root@localhost download]# vim /etc/nginx/conf.d/abc.conf
server {
listen 80;
server_name www.abc.com;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html/abc;
index index.html index.htm;
}
location /boke.html { (這裏的意思是去root boke目錄裏找boke.html這個文件URL最後面不能加/)
root /usr/share/nginx/html/boke;
}
[root@localhost download]# vim /etc/nginx/conf.d/abc.conf
location /download/ { (這裏去html下面找download目錄!!目錄裏面可以有文件,頁面等等URL最後必須要加/
)
root /usr/share/nginx/html;
}
}
*(怎麽一定要加/或不加/呢?不人性化,這裏可以使用正則來解決)
[root@localhost download]# vim /etc/nginx/conf.d/abc.conf
location ~* /download.* { (~* 不區分大小寫,.*為正則匹配)
root /usr/share/nginx/html;
}
}
HTTPS
講之前先看下公鑰與私鑰到底是個啥?
[1](http://blog.51cto.com/2938638/809991)
[2](http://blog.51cto.com/zhangyanfeng/1711250)實驗:自簽名
客戶端 CA
1.創建私鑰 1.有自己的私鑰和證書
2.根據私鑰創建證書頒發請求 .csr 2.對證書頒發請求簽名
3.等CA中心授權簽名通過,返回證書文件 .crt 3.將證書發送給客戶端
4.根據KEY,CRT配置HTTPS站點客戶端
[root@localhost keyes]# openssl genrsa 2048 > siyao.keys (創建私鑰)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.+++
e is 65537 (0x10001)
[root@localhost keyes]# chmod 400 siyao.keys (給予最小權限)
[root@localhost keyes]# openssl req -new -key siyao.keys -out siyao.csr (創建證書辦法請求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (國家)
State or Province Name (full name) []:shanghai (省份)
Locality Name (eg, city) [Default City]:shanghai (市區)
Organization Name (eg, company) [Default Company Ltd]:boke (公司名)
Organizational Unit Name (eg, section) []:boke - cainiao (部門)
Common Name (eg, your name or your server‘s hostname) []:www.abc.com (要加密的RUL)
Email Address []:[email protected] (郵箱)
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: (這裏不要寫密碼,CA哪裏一會解不開密碼,自簽名。。)
An optional company name []: (這裏也跳過)
[root@localhost keyes]# ls
siyao.csr siyao.keys (生成一份.csr的文件)
[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root (在我使用scp傳輸文件時,碰到了問題,因為之前做過NAT。網關上
把icmp阻塞了,並且用的策略是block return,所以返回一個目標不可到達的包給你。)
ssh: connect to host 192.168.1.115 port 22: No route to host
[root@localhost keyes]# scp siyao.csr 192.168.1.115:/root (傳過去了)
The authenticity of host ‘192.168.1.115 (192.168.1.115)‘ can‘t be established.
RSA key fingerprint is ce:73:07:c4:4c:f3:2b:1b:21:c7:92:31:27:53:be:cf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.115‘ (RSA) to the list of known hosts.
[email protected]‘s password:
siyao.csr
# CA端
[root@localhost ~]# openssl genrsa -des3 -out ca.key 4096 (生成公私鑰,做自簽名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自簽名密碼要記住,一會自簽名過程要用到)
Verifying - Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg ca.key siyao.csr
[root@localhost ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt (自簽名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server‘s hostname) []:www.boke.com
Email Address []:
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.csr
[root@localhost ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out siyao.crt (
給客戶端頒發證書)
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=boke/OU=boke - cainiao/CN=www.abc.com/[email protected]
Getting CA Private Key
Enter pass phrase for ca.key:
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
[root@localhost ~]# scp siyao.crt 192.168.1.3:/etc/pki/CA/keyes (回傳給客戶端)
The authenticity of host ‘192.168.1.3 (192.168.1.3)‘ can‘t be established.
RSA key fingerprint is bd:4d:15:99:19:a7:d7:fb:6e:0a:91:b0:b7:62:04:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.3‘ (RSA) to the list of known hosts.
[email protected]‘s password:
siyao.crt 100% 1590 1.6KB/s
00:00
[root@localhost ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
客戶端keyes目下要有私鑰,公鑰,證書
[root@localhost keyes]# ls
siyao.crt siyao.csr siyao.keys
[root@localhost keyes]# pwd
/etc/pki/CA/keyes
最後來配置HTTPS
[root@localhost conf.d]# vim abc.conf
server {
listen 443 ssl;
server_name www.abc.com;
ssl_certificate /etc/pki/CA/keyes/siyao.crt; (證書)
ssl_certificate_key /etc/pki/CA/keyes/siyao.keys; (私鑰)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; (協議)
ssl_ciphers HIGH:!aNULL:!MD5;
root /usr/share/nginx/html/abc;
index index.html;
}
我這裏用的是chrome的瀏覽器:
google瀏覽器看下這裏
這裏顯示不安全,但是能看到內容,大神給講下吧,有點迷。
-----
-----
下次分享下nginx的rewrite和反向代理和緩存。。nginx +location + https