最近项目上要出一份关于域名和https请求的配置文档,之前是ip的请求形式
总结 ip和域名和https 三者的区别
1.域名与IP相比就是需要有dns解析,如果是在hosts中添加的ip 域名映射只能在本机上使用或者是在其他机器上也配置了对应的ip 域名映射才能进行访问,如果是购买了域名的,请求会到网络dns根服务器上解析后找到对应ip
2.https与http请求区别就是多了ssl 证书认证;https需要在服务端配置相应的证书
自己生成证书的方式:
https 实现基于 nginx + openssl
环境准备
安装必要组件
yum install gcc-c++
yum install -y pcre pcre-devel
yum install -y zlib zlib-devel
yum install -y openssl openssl-devel
生成https 证书
#创建存放证书的目录
mkdir ../zhengshu
#切换证书存放目录
cd ../zhengshu
#生成CA私钥
[root@centos6 zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
............+++
..................................................................................................................................................+++
e is 65537 (0x10001)
[root@centos6 zhengshu]# ll
总用量 4
-rw-r--r-- 1 root root 1679 6月 30 10:13 local.key
#生成CA证书请求
[root@centos6 zhengshu]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:rwise
Organizational Unit Name (eg, section) []:developer
Common Name (eg, your name or your server's hostname) []:10.0.2.100
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:gongsiname
#生成CA根证书
[root@centos6 zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=cloudwise/OU=developer/CN=10.0.2.100/emailAddress=test@test.com
Getting Private key
#生成server私匙
[root@centos6 zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................+++
......................+++
e is 65537 (0x10001)
#生成server证书请求
[root@centos6 zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:rwise
Organizational Unit Name (eg, section) []:developer
Common Name (eg, your name or your server's hostname) []:10.0.2.100
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:gongsiname
#生成server证书
[root@centos6 zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=rwise/OU=developer/CN=10.0.2.100/emailAddress=test@test.com
Getting CA Private Key
#全部执行完因该是以下状态
[root@centos6 zhengshu]# ll
总用量 28
-rw-r--r-- 1 root root 1277 6月 30 10:18 local.crt
-rw-r--r-- 1 root root 1106 6月 30 10:16 local.csr
-rw-r--r-- 1 root root 1679 6月 30 10:13 local.key
-rw-r--r-- 1 root root 17 6月 30 10:23 local.srl
-rw-r--r-- 1 root root 1277 6月 30 10:23 my_server.crt
-rw-r--r-- 1 root root 1106 6月 30 10:22 my_server.csr
-rw-r--r-- 1 root root 1675 6月 30 10:20 my_server.key
上传nginx安装包和openssl 插件包
解压tar包(nginx和openssl)
安装 nginx
#目录切换
cd …/nginx-1.16.1
#编译安装
./configure --prefix=/usr/local/nginx
--user=nginx
--group=nginx
--with-http_stub_status_module
--with-http_ssl_module
--with-http_flv_module
--with-http_gzip_static_module
--with-openssl=../openssl-1.0.1e && make && make install
#切换目录
cd /usr/local/nginx/sbin
#启动nginx
./nginx
#如果报 nginx: [emerg] getpwnam(“nginx”) failed
useradd -s /sbin/nologin -M nginx
#根据ip访问nginx页面,能正常访问说明nginx 安装成功
修改nginx 配置文件(配置文件路径
/usr/local/nginx/conf/nginx.conf)
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
upstream tcoserver{
server 14.0.2.101:18081 weight=5;
#server 15.0.2.101:18091 weight=5;
}
upstream actserver{
server 16.0.2.101:18080 weight=5;
#server 17.0.2.101:18090 weight=5;
}
server {
listen 443 ssl;
server_name 14.0.2.101;
ssl_certificate /opt/certificate/local.crt; #server端证书位置
ssl_certificate_key /opt/certificate/local.key; #server端私钥位置
ssl_session_cache shared:SSL:10m; #缓存session会话
ssl_session_timeout 10m; # session会话 10分钟过期
proxy_ssl_server_name on;
proxy_http_version 1.1;
location /xingm {
proxy_pass http://apiserver/douc;
}
location / {
root /data/app/ddw/html;
}
location /screen {
root /data/app;
}
}
}
如果使用谷歌浏览器访问报 NET::ERR_CERT_INVALID 说明生成的证书是不安全的所以可以在空白出输入: thisisunsafe
后可以跳转