现在主流的网站访问都改造成HTTPS了,我们也要与时俱进,开始就要把环境搭起来
开发环境自制HTTPS证书
开发环境下肯定不可能找CA要证书,自己做一个吧
步骤1:自己制作证书
sudo mkdir /etc/nginx/ssl
sudo openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
创建了有效期100年,加密强度为RSA2048的SSL密钥key和X509证书文件。
参数说明:
req: 配置参数-x509指定使用 X.509证书签名请求管理(certificate signing request (CSR))."X.509" 是一个公钥代表that SSL and TLS adheres to for its key and certificate management.
-nodes: 告诉OpenSSL生产证书时忽略密码环节.(因为我们需要Nginx自动读取这个文件,而不是以用户交互的形式)。
-days 36500: 证书有效期,100年
-newkey rsa:2048: 同时产生一个新证书和一个新的SSL key(加密强度为RSA 2048)
-keyout:SSL输出文件名
-out:证书生成文件名
它会问一些问题。需要注意的是在common name中填入网站域名,如wiki.xby1993.net即可生成该站点的证书,同时也可以使用泛域名如*.xby1993.net来生成所有二级域名可用的网站证书。
整个问题应该如下所示:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York City
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Bouncy Castles, Inc.
Organizational Unit Name (eg, section) []:Ministry of Water Slides
Common Name (e.g. server FQDN or YOUR name) []:your_domain.com
Email Address []:admin@your_domain.com
注意:其他字段可以自己改,但是Common Name必须填你打算访问的域名,否则访问时正式无法与域名对应
步骤2:修改Nginx的配置为SSL
首先配置HTTP请求重定向
server {
listen 80;
server_name www.yourdomain.com;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https
#return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
keepalive_timeout 70;
server_name www.yourdomain.com;
#禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击
server_tokens off;
#如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ......
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
access_log /var/log/nginx/wiki.xby1993.net.access.log;
error_log /var/log/nginx/wiki.xby1993.net.error.log;
}
如果想同时启用HTTP和HTTPS
server {
listen 80;
listen 443 ssl;
server_name www.example.com;
ssl_certificate www.example.com.crt;
ssl_certificate_key www.example.com.key;
...
}
我的实际配置
sudo vim /etc/nginx/sites-enabled/default
server {
listen 80 default;
listen 443 ssl;
# listen [::]:80 default_server ipv6only=on;
server_name [此处填实际域名];
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
keepalive_timeout 70;
#禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击
server_tokens off;
charset utf-8;
# root /usr/share/nginx/html;
# index index.html index.htm;
client_max_body_size 75M;
# Make site accessible from http://localhost/
# server_name localhost;
location /media {
alias /home/sky/Public/firstdjango/Helloworld/media;
}
location /static {
alias /home/sky/Public/firstdjango/Helloworld/static;
}
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
# try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
include uwsgi_params;
uwsgi_pass 127.0.0.1:8001;
}
}
步骤3:重启nginx
sudo service nginx restart
步骤4:更改HOSTS
sudo vim /etc/hosts
让你的证书域名与开发机一致(节省开发时调整域名的工作)
127.0.0.1 你的域名
sudo /etc/init.d/networking restart