文章目录

展开

nginx实现https

HTTPS作用

数据加密传输
OSI七层模型:表示层加密/解密

image-20231002225455056

证书申请流程

image-20231002225509146

证书类型介绍

对比 域名型DV 企业型OV 增强型EV
地址栏 锁标记+绿色https 锁标记+绿色https 锁标记+绿色https+企业名称(logo)
用途 个人网站 电子商务网站,中小型企业 大型金融平台,大公司,政府机构
审核内容 域名所有权验证 全面的企业身份验证; 域名所有权验证 最高等级的企业身份验证; 域名所有权验证
颁发时长 不到10分钟 3-5个工作日 5-7个工作日
首次申请年限 1年 1-2年 1-2年
赔付保障金 -- 125-175万美金 150-175万美金

证书购买类型

  • 只能单个域名使用
    • 比如 www.wodeyumengouwo.com 那只能www.wodeyumengouwo.com用这个证书
  • 混合域名
    • 多个域名都可以使用该证书
    • www.hg.com www.yyds.com
  • 泛域名
    • *.wodeyumengouwo.com 前面加什么都能用
    • www.wodeyumengouwo.com
    • blog.wodeyumengouwo.com
    • download.wodeyumengouwo.com

HTTPS注意事项

1.证书过期,无法续费

2.三级域名无法使用https (比如 mar.m.wyk.com 这种就是三级域名)

3.注意证书的颜色:

  • 绿色:全站的URL都是https加密的
  • 红色:假证书或者证书过期
  • 黄色:并非全站URL都是https加密的

单台nginx实现HTTPS

[root@web01 ~]# vim /etc/nginx/conf.d/test.com.conf 
server{
        listen 80;
        server_name www.test.com;
        root /code/test;
        index index.html;
}

# 重启nginx
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl reload nginx

# 创建站点目录
[root@web01 ~]# mkdir /code/test/

# 部署代码
[root@web01 ~]# echo 'test https' > /code/test/index.html

# 域名解析
10.0.0.7 www.test.com

# 访问浏览器:http://www.test.com/

image-20231002225849217

跟CA机构申请证书

## CA机构创建证书
[root@web01 ~]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................................+++
...................................................................................................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 1111 ## 输入一个密码
Verifying - Enter pass phrase for server.key: ## 确认密码

## 当前所在目录会生成证书
[root@web01 ~]# ll
total 4
-rw-r--r-- 1 root root 1747 Oct  2 22:59 server.key

## 跟CA机构填写个人信息,签发证书
[root@web01 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................................+++
........................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                    ## 国家代码 简写,2个字符 
State or Province Name (full name) []:shanghai                          ## 所在省
Locality Name (eg, city) [Default City]:shanghai                        ## 城市名字
Organization Name (eg, company) [Default Company Ltd]:yyds              ## 公司名字
Organizational Unit Name (eg, section) []:yyds                          ## 公司名字
Common Name (eg, your name or your server's hostname) []:www.test.com   ## 域名
Email Address []:111@qq.com                                             ## 邮箱

## 查看证书文件
[root@web01 ~]# ll
total 8
-rw-r--r-- 1 root root 1399 Oct  2 23:04 server.crt
-rw-r--r-- 1 root root 1704 Oct  2 23:04 server.key

配置ssl证书的语法

#启动ssl功能
Syntax: ssl on | off;
Default: ssl off;
Context: http,server

#证书文件
Syntax: ssl_certificate file;
Default: -
Context: http,server

#私钥文件
Syntax: ssl_certificate_key file;
Default: -
Context: http,server

修改nginx配置文件

# 1.创建证书存放的目录
[root@web01 ~]# mkdir /etc/nginx/ssl
[root@web01 ~]# mv server.* /etc/nginx/ssl/

[root@web01 ~]# ll /etc/nginx/ssl/
total 8
-rw-r--r-- 1 root root 1399 Oct  2 23:04 server.crt
-rw-r--r-- 1 root root 1704 Oct  2 23:04 server.key

# 2.配置nginx证书(老语法)
[root@web01 ~]# vim /etc/nginx/conf.d/test.com.conf
server{
        listen 443;
        server_name www.test.com;
        root /code/test;
        index index.html;
        ssl on;
        ssl_certificate ssl/server.crt;
        ssl_certificate_key ssl/server.key;
}

[root@web01 ~]# nginx -t
# 会警告你最好不要这样写
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /etc/nginx/conf.d/test.com.conf:6
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# 3.配置证书新语法
[root@web01 ~]# vim /etc/nginx/conf.d/test.com.conf
server{
        listen 443 ssl;  
        server_name www.test.com;
        root /code/test;
        index index.html;
        ssl_certificate ssl/server.crt;
        ssl_certificate_key ssl/server.key;
}

# 4.检测语法,重启nginx
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl reload nginx

# 5.浏览器访问:https://www.test.com

image-20231002231610495

使用rewrite协议跳转

# 80端口强转443 提升用户体验
[root@web01 ~]# vim /etc/nginx/conf.d/test.com.conf
server{
        listen 80;
        server_name www.test.com;
        rewrite (.*) https://www.test.com$1 redirect;
        # return 302 https://$server_name$request_uri;  两种方法 都可以
}

server{
        listen 443 ssl;
        server_name www.test.com;
        root /code/test;
        index index.html;
        ssl_certificate ssl/server.crt;
        ssl_certificate_key ssl/server.key;

}

## 重启nginx
[root@web01 test]# systemctl restart nginx

# 打开浏览器访问www.test.com

image-20231002232240863

给wordpress博客加证书

## 生成证书
[root@web02 ~]# openssl genrsa -idea -out wp.key 2048
[root@web02 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout wp.key -out wp.pem

## 创建证书存放位置
[root@web02 ~]# mkdir /etc/nginx/ssl
[root@web02 ~]# mv wp.* /etc/nginx/ssl/

## 配置nginx配置文件
[root@web02 ~]# vim /etc/nginx/conf.d/wp.conf
server{
        listen 80;
        server_name www.wp.com;
        rewrite (.*) https://www.wp.com$1 redirect;
}

server{
        listen 443 ssl;
        server_name www.wp.com;
        root /code/wordpress;
        index index.html;
        ssl_certificate ssl/wp.pem;
        ssl_certificate_key ssl/wp.key;

        location / {
                if ( -f $request_filename/index.html ){
                        rewrite (.*) $1/index.html break;
                }
                if ( -f $request_filename/index.php ){
                        rewrite (.*) $1/index.php;
                }
                if ( !-f $request_filename ){
                        rewrite (.*) /index.php;
                }
                }
                location ~ \.php$ {
                        fastcgi_pass unix:/dev/shm/php.sock;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        include fastcgi_params;
                }
}

# 检测语法,重启nginx
[root@web02 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web02 ~]# systemctl reload nginx

# 域名解析 10.0.0.7 www.wp.com 浏览器访问:www.wp.com会出现破图

解决php破图现象

[root@web02 ~]# vim /etc/nginx/conf.d/wp.conf 
server{
        listen 80;
        server_name www.wp.com;
        rewrite (.*) https://www.wp.com$1 redirect;
}

server{
        listen 443 ssl;
        server_name www.wp.com;
        root /code/wordpress;
        index index.html;
        ssl_certificate ssl/wp.pem;
        ssl_certificate_key ssl/wp.key;

        location / {
                if ( -f $request_filename/index.html ){
                        rewrite (.*) $1/index.html break;
                }
                if ( -f $request_filename/index.php ){
                        rewrite (.*) $1/index.php;
                }
                if ( !-f $request_filename ){
                        rewrite (.*) /index.php;
                }
                }
                location ~ \.php$ {
                        fastcgi_pass 127.0.0.1:9000;
                        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                        fastcgi_param HTTPS on;
                        include fastcgi_params;
                }
}

# 浏览器访问:www.wp.com

image-20231002234629631

多台nginx配置ssl证书

## 负载均衡配置证书
[root@lb01 ~]# vim /etc/nginx/conf.d/proxy.conf
upstream www.test.com {
        server 172.16.1.7;
        server 172.16.1.8;
}
server {
        listen 80;
        server_name www.test.com;
        rewrite (.*) https://www.test.com$1 redirect;
}

server {
        listen 443 ssl;
        server_name www.test.com;
        ssl_certificate ssl/server.crt;
        ssl_certificate_key ssl/server.key;

        location /{
                proxy_pass http://www.test.com;
                include proxy_params;
        }
}

# 检测语法,重启nginx
[root@lb01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb01 ~]# systemctl reload nginx

## 创建证书目录 将证书放在负载均衡服务器的/etc/nginx/ssl
[root@lb01 ~]# mkdir /etc/nginx/ssl

[root@web01 ~]# scp /etc/nginx/ssl/* 172.16.1.5:/etc/nginx/ssl

## web01和web02配置
[root@web01 ~]# cat /etc/nginx/conf.d/test.com.conf 
server{
        listen 80;
        server_name www.test.com;
        root /code/test;
        index index.html;
}

## 创建站点目录并写入index.html文件
[root@web01 ~]# mkdir /code/test
[root@web01 ~]# echo 'web01' > /code/test/index.html

# 检测语法,重启nginx
[root@web01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web01 ~]# systemctl reload nginx

[root@web02 ~]# cat /etc/nginx/conf.d/test.wyk.com.conf
server{
        listen 80;
        server_name test.wyk.com;
        root /code/test;
        index index.html;
}

## 创建站点目录并写入index.html文件
[root@web02 ~]# mkdir /code/test -p
[root@web02 ~]# echo 'web02' > /code/test/index.html

# 检测语法,重启nginx
[root@web02 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web02 ~]# systemctl reload nginx

# 域名解析 10.0.0.5 www.test.com 浏览器访问www.test.com

image-20231002235734128

image-20231002235748398

ssl优化参数

## 把以下内容放到  ssl_certificate_key file; 下就行

ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接,在session_timeout时间内再次连接,是不需要再次获取公钥建立握手的,可以服用之前的连接
ssl_session_timeout 1440m; #ssl连接断开后的超时时间
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套接协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; #使用TLS版本协议
ssl_prefer_server_ciphers on; #nginx决定使用哪些协议与浏览器通信