https

最新推荐文章于 2024-06-21 13:34:53 发布

Ableson_liujun

最新推荐文章于 2024-06-21 13:34:53 发布

阅读量684

点赞数

分类专栏：第二阶段架构

本文链接：https://blog.csdn.net/ljaixiaoxue/article/details/103530984

版权

第二阶段架构专栏收录该内容

21 篇文章 0 订阅

订阅专栏

1…创建一个存放证书的目录

[root@web01 conf.d]# mkdir /etc/nginx/ssl_key
[root@web01 conf.d]# cd /etc/nginx/ssl_key/

2.创建私钥证书( 无效的,不用care )

[root@web01 conf.d]# openssl genrsa -idea -out server.key 2048
[root@web01 conf.d]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

3.配置一个https的网站 ( 只能通过https访问 )

[root@web01 conf.d]# cat /etc/nginx/conf.d/s.oldxu.com.conf
server {
listen 443 ssl;
server_name s.oldxu.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;

charset utf8;
root /code;

location / {
	index index.html;
}

}

4.将http的请求过渡到https

[root@web01 conf.d]# cat /etc/nginx/conf.d/s.oldxu.com.conf
server {
listen 443 ssl;
server_name s.oldxu.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;

charset utf8;
root /code;

location / {
	index index.html;
}

}
server {
listen 80;
server_name s.oldxu.com;
return 302 https:// $http_host$ request_uri;
}

=============================================================

web01

[root@web01 conf.d]# cat ssl.oldxu.com.conf 
server {
	listen 80;
	server_name ssl.oldxu.com;
	root /code;

	
	location / {
		index index.html;
	}
}

web02
[root@web02 conf.d]# cat ssl.oldxu.com.conf 
server {
	listen 80;
	server_name ssl.oldxu.com;
	root /code;
	
	location / {
		index index.html;
	}
}


lb01
[root@lb01 conf.d]# cat proxy_ssl.oldxu.com.conf 
upstream ssl {
	server 172.16.1.7:80;
	server 172.16.1.8:80;
}
server {
	listen 443 ssl;
	server_name ssl.oldxu.com;
	ssl_certificate ssl_key/server.crt;
	ssl_certificate_key ssl_key/server.key;
	
	location / {
		proxy_pass http://ssl;
		include proxy_params;
	}
}
server {
	listen 80;
	server_name ssl.oldxu.com;
	return 302 https://$http_host$request_uri;
}

2.https使用场景示例:
需求: 希望用户访问网站的所有Url走Https协议，但访问s.oldxu.com/abc时能支持Http|https协议?

[root@web02 conf.d]# vim s.oldxu.com.conf 
server {
        listen 443 ssl;
        ssl_certificate ssl_key/server.crt;
        ssl_certificate_key ssl_key/server.key;
        server_name s.oldxu.com;
        root /code;

        location / {
                index index.html;
        }
}
server {
        listen 80;
        server_name s.oldxu.com;
        if ( $request_uri != '/abc') {
                return 302 https://$http_host$request_uri;      
        }       
}


[root@web01 conf.d]# cat s.oldxu.com.conf
server {
    listen 443 ssl;
    server_name s.oldxu.com;
    ssl_certificate ssl_key/1524377920931.pem;
    ssl_certificate_key ssl_key/1524377920931.key;


    ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接，在session_timeout时间内再次连接，是不需要在次建立握手，可以复用之前的连接
    ssl_session_timeout 1440m;           #ssl连接断开后的超时时间（24小时）
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用的TLS版本协议
	
    ssl_prefer_server_ciphers on;        #Nginx决定使用哪些协议与浏览器进行通讯
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套间

    location / {
        root /code;
        index index.html index.htm;
    }
}

#http-https
server {
        listen 80;
        server_name s.oldxu.com;
        return 302 https://$server_name$request_uri;
}

Ableson_liujun

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
https

1…创建一个存放证书的目录[root@web01 conf.d]# mkdir /etc/nginx/ssl_key[root@web01 conf.d]# cd /etc/nginx/ssl_key/2.创建私钥证书( 无效的,不用care )[root@web01 conf.d]# openssl genrsa -idea -out server.key 2048[roo...
复制链接

扫一扫

专栏目录