apache和nginx中https的配置。

https是安全的连接
http是不安全的

因为https有ssl证书的存在，浏览器认为web-server的页面是安全的。

CA：颁发证书的机构，一般是比较权威的，CA先审核资质及安全性，然后发布证书，有这个证书就可以用https请求了

申请和签发证书：Web-server首先要生成私钥，然后提取带签名的公钥。然后发给CA签署，完成后CA返回给Web-server，web-server拿到证书文件后就可以配置了，然后就能用https了

在浏览器上就可以查看允许的被信任的证书了，在阿里云，腾讯云等上可以买到。

不过这里我就用假的来模拟了。

CA和Web服务都是虚拟的。

先来Nginx吧：

nginx：172.12.12.97
CA：172.16.12.96

nginx：
1、首先安装nginx
安装方法：https://blog.csdn.net/n_u_l_l_/article/details/103205863

安装还是比较容易的，配置，make，make install。

2、生成私钥和带签名的公钥。

[root@nginx-https ~]# openssl genrsa 1024 > web-nginx.key
私钥

Generating RSA private key, 1024 bit long modulus
................++++++
...++++++
e is 65537 (0x10001)

[root@nginx-https ~]# openssl req -new -key web-nginx.key -days 365 -out web.csr
带签名的公钥

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  //国家
State or Province Name (full name) []:BJ   //州或省名称
Locality Name (eg, city) [Default City]:BJ  //城市名
Organization Name (eg, company) [Default Company Ltd]:nginx-https   //组织名称
Organizational Unit Name (eg, section) []:web   //组织单位名称
Common Name (eg, your name or your server's hostname) []:172.16.12.97    //域名或者IP
Email Address []:nginx@163.com     //联系人邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:     //公司密码不写
An optional company name []:   //公司名不写，因为是测试环境嘛。。。

3、将带有签名的公钥发给CA签名。

这时会报一些错误，我就不演示了，直接把解决方法写上。
具体的错误：https://blog.csdn.net/n_u_l_l_/article/details/103536588
nginx：

[root@nginx-https ~]# scp web-nginx.csr 172.16.12.96:/root
nginx发给ca

CA：

[root@localhost ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem
生成私钥

[root@localhost ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem
生成自签名文件。

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:nginx-https
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:172.16.12.96
Email Address []:ca@163.com


[root@localhost ~]#  touch /etc/pki/CA/index.txt
创建索引文件

[root@localhost ~]# echo 01 > /etc/pki/CA/serial
创建序列号文件


[root@localhost ~]# openssl ca -in web-nginx.csr -out web-nginx.crt
签发证书

Certificate is to be certified until Dec 13 10:41:35 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y

注意：因为是测试环境，所以CA的自签名和nginx的签名公钥，要写一样的，否则报错。
生产环境就不用了这些了。

[root@localhost ~]# scp web-nginx.crt 172.16.12.97:/root
发回给nginx

4、配置nginx的ssl证书

nginx：

[root@nginx-https ~]# ls
web-nginx.crt 	//签名后的公钥
web-nginx.csr  	//签名前的公钥，有签名后的这个就没有用了
web-nginx.key	//私钥

/usr/local/nginx/conf/nginx.conf

别的都没有什么异常，和我之前的博客里的没什么区别，就是加了https的这段：

https://blog.csdn.net/n_u_l_l_/article/details/103205863

[root@nginx-https ~]# vim /usr/local/nginx/conf/nginx.conf

    # HTTPS server
    server {
        listen       443 ssl;
        server_name  172.16.12.97;
        ssl_certificate      /etc/pki/tls/certs/web-nginx.crt;    //指定公钥文件位置
        ssl_certificate_key  /etc/pki/tls/private/web-nginx.key;	  //指定私钥文件位置
        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_ciphers  HIGH:!aNULL:!MD5;    	//使用这个MD5加密套件
        ssl_prefer_server_ciphers  on;		//依赖SSLv3和TLSv1协议的服务器密码将优先于客户端密码
        ssl_protocols SSLv2 SSLv3 TLSv1;  	//使用该协议进行配置
        location / {
            root   html;
            index  index.html index.htm;
        }
    }

启动服务

[root@nginx-https ~]# /usr/local/nginx/sbin/nginx -s reload
[root@nginx-https ~]# netstat -antlup | grep nginx
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      6594/nginx: master  
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      6594/nginx: master  

可以看到 http的是80 端口，https的是443端口。

访问控制下：先访问80端口的http请求

能够正常访问。

下面是https的443.

直接就被浏览器拦截了，没办法，毕竟CA都是假的，没有在上边说的浏览器允许的证书颁发列表中。

不过就算不信任也是能查看到证书的，这个就是在CA和nginx上生成的带有签名的公钥那里写的信息。

高级 -> 接受风险。

然后就能看到nginx的测试页 了。

发现确实是https的请求，只不过不受信任…

然后再来apache

CA：172.16.12.96
apache：172.16.12.98

和nginx一样：
Apache：
1、安装apache

[root@apache-https ~]# yum install httpd -y

2、生成私钥和带签名的公钥发给CA：

[root@apache-https ~]#  openssl genrsa 1024 > web-apache.key
Generating RSA private key, 1024 bit long modulus
...++++++
........................................++++++
e is 65537 (0x10001)

[root@apache-https ~]# openssl req -new -key web-apache.key -days 365 -out web-apache.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SH
Locality Name (eg, city) [Default City]:SH
Organization Name (eg, company) [Default Company Ltd]:apache-https
Organizational Unit Name (eg, section) []:web
Common Name (eg, your name or your server's hostname) []:172.16.12.98
Email Address []:apache@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@apache-https ~]# ls
anaconda-ks.cfg  original-ks.cfg  web-apache.csr  web-apache.key

[root@apache-https ~]# scp web-apache.csr 172.16.12.96:/root
发给CA

3、CA签名

[root@localhost ~]# openssl genrsa 1024 > /etc/pki/CA/private/cakey.pem

[root@localhost ~]# openssl req -new -key /etc/pki/CA/private/cakey.pem -days 3650 -x509 -out /etc/pki/CA/cacert.pem

[root@localhost ~]# touch /etc/pki/CA/index.txt

[root@localhost ~]# echo 01 > /etc/pki/CA/serial

[root@localhost ~]# openssl ca -in web-apache.csr -out web-apache.crt

[root@localhost ~]# scp web-apache.crt 172.16.12.98:/root

4、apache配置ssl

安装个插件

[root@apache-https ~]# yum install mod_ssl -y

[root@apache-https ~]# vim /etc/httpd/conf.d/ssl.conf 

100 SSLCertificateFile /etc/pki/tls/certs/web-apache.crt

107 SSLCertificateKeyFile /etc/pki/tls/private/web-apache.key

公钥和私钥改成自己的

启动服务

[root@apache-https ~]# systemctl restart httpd
[root@apache-https ~]# netstat -antlup | grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      10564/httpd         
tcp6       0      0 :::443                  :::*                    LISTEN      10564/httpd 

也可以看到 默认的80 和 https的443 端口。

依旧是不信任，依旧能看到证书：

以上。。。。。

其实购买的证书就非常方便了，购买然后下载下来证书直接安装，而且是真正的能用的证书。

附上阿里云安装ssl证书的官方文档：

nginx：https://help.aliyun.com/document_detail/98728.html?spm=a2c4g.11186623.2.15.5040662aqrgae9#concept-n45-21x-yfb

toncat：https://help.aliyun.com/document_detail/98576.html?spm=a2c4g.11186623.2.11.5040662afewuKX#concept-omf-lxn-yfb

apache：https://help.aliyun.com/document_detail/98727.html?spm=a2c4g.11186623.2.12.5040662aUtCsDi#concept-zsp-d1x-yfb

CentOS系统Tomcat 8.5/9 ：https://help.aliyun.com/document_detail/102939.html?spm=a2c4g.11186623.2.17.5040662a8q2EZX#concept-i2b-cdb-mgb