11. Nginx进阶-HTTPS

简介

基本概述

SSL

SSL是安全套接层。
主要用于认证用户和服务器,确保数据发送到正确的客户机和服务器上。
SSL可以加密数据,防止数据中途被窃取。
SSL也可以维护数据的完整性,确保数据在传输过程中不被改变。

HTTPS

HTTPS就是基于SSL来实现的安全通信。

证书

证书用于保证密钥的合法性。
证书的主体可以是用户、服务、计算机等。
证书的格式准信X.509标准。
数字证书包含如下信息:

  1. 使用者的公钥值;
  2. 使用者标识信息(如名称和电子邮件地址);
  3. 有效期(证书的有效时间);
  4. 颁发者表示信息;
  5. 颁发者的数字签名;
  6. 注意:数字证书由权威公正的第三方机构签发。

小知识

  1. HTTPS证书的选择
    1. 专业版OV型证书,不显示企业名称
    2. 高级版EV型证书,显示企业名称
  2. HTTPS证书购买选择
    1. 通配符域名,如:*.o-learn.cn
    2. 保护域名,如:www.baidu.com
  3. HTTPS注意事项
    1. HTTPS不支持三级域名解析;
    2. HTTPS不支持续费,证书到期后需要重新申请并进行替换;
    3. HTTPS显示绿色,表示整个网站的URL都是HTTPS的;
    4. HTTPS显示黄色,表示网站中包含HTTP的不安全连接;
    5. HTTPS显示红色,表示证书过期或者证书是假的;

配置场景

应用

申请证书

私有证书

  1. 检查OpenSSL工具
    1. 检查是否安装
openssl --version
  1. 如未安装,以下命令安装
yum install openssl openssl-devel
  1. 检查nginx的ssl模块
nginx -V 2>&1 | grep ssl
#with-http_ssl_module
  1. 生成密钥
    1. 创建密钥目录
mkdir -p /www/ssl_key
cd /www/ssl_key
  1. 生成密钥
openssl genrsa -des3 -out wang_mingqu_com.key 1024

# Generating RSA private key, 1024 bit long modulus
# ...++++++
# ..................................................................++++++
# e is 65537 (0x10001)
# Enter pass phrase for https.key: 123456
# Verifying - Enter pass phrase for https.key: 123456
  1. 删除私钥的密码
openssl rsa -in wang_mingqu_com.key -out wang_mingqu_com.key

# Enter pass phrase for https.key: 123456
# writing RSA key
  1. 生成证书
    1. 创建签名请求证书
openssl req -new -key wang_mingqu_com.key -out wang_mingqu_com.csr

# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [XX]:CN
# State or Province Name (full name) []:HeNan
# Locality Name (eg, city) [Default City]:ZhengZhou
# Organization Name (eg, company) [Default Company Ltd]:MingQuKeJi
# Organizational Unit Name (eg, section) []:YunWeiBu
# Common Name (eg, your name or your server's hostname) []:wang.mingqu.com
# Email Address []:15515190288@163.com

# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
  1. 生成SSL证书
openssl x509 -req -days 365 -in wang_mingqu_com.csr -signkey wang_mingqu_com.key -out wang_mingqu_com.crt

# Signature ok
# subject=/C=CN/ST=HeNan/L=ZhengZhou/O=MingQuKeJi/OU=YunWeiBu/CN=wang.mingqu.com/emailAddress=15515190288@163.com
# Getting Private key
  1. 查看证书和密钥
ll /www/ssl_key/
total 28
-rw-r--r-- 1 root  root  981 Feb 26 16:36 wang_mingqu_com.crt
-rw-r--r-- 1 root  root   716 Feb 26 16:32 wang_mingqu_com.csr
-rw-r--r-- 1 root  root  887 Feb 26 16:30 wang_mingqu_com.key

公网证书

配置HTTPS

  1. 创建证书存放目录
mkdir -p /etc/nginx/ssl_key
cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/
cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/
chown -R nginx:nginx /etc/nginx/ssl_key/
  1. 编辑nginx配置文件

路径:/etc/nginx/conf.d/wangmingqu.conf

server {
  listen 443 ssl;
  server_name wang.mingqu.com;
  charset utf-8;

  #配置https证书
  #ssl on; 新版本nginx中无需添加此行。

  #证书的存放路径
  ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt;
  ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key;

  #证书的缓存有效期
  ssl_session_timeout 5m;
  #证书的加密算法
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  #安全链接可选的加密协议
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  #使用服务器端的首选算法
  ssl_prefer_server_ciphers on;

  location / {
    root /www/wangmingqu/html;
    index index.html index.htm;
  }
}

#跳转HTTPS
server {
  listen 80;
  server_name wang.mingqu.com;
  charset utf-8;

  #server_name:表示访问的域名,也可以使用变量$host;
  #server_name,跟定义的配置文件的server_name有关;
  #host,则是用户输入的内容;
  #request_uri:表示访问时域名后所有内容。
  rewrite .* https://$server_name$request_uri redirect;
  ##写法二:
  #rewrite .* https://$host$request_uri redirect;
  ##写法三:
  #rewrite (.*)  https://$server_name$1 redirect;
}
  1. 检查配置
nginx -t
systemctl reload nginx
  1. 访问测试

image.png
image.png

负载均衡HTTPS跳转

主机规划

主机名称主机IP服务
k8s-master-1192.168.108.129Nginx Proxy
k8s-master-2192.168.108.130Nginx Web1
k8s-master-3192.168.108.131Nginx Web2

配置站点

注意

移除其他测试配置文件

cd /etc/nginx/conf.d/
rename .conf .bak *.conf

web01配置

  1. 测试数据
mkdir -p /www/html/
echo "主机:192.168.108.130" > /www/html/index.html
chown -R nginx:nginx /www/html
  1. 配置nginx
    1. 主配置文件

配置文件路径:/etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
  1. 子配置文件

配置文件路径:/etc/nginx/conf.d/web01.conf

server {
  listen 443;
  server_name wang.mingqu.com;
  chartset utf-8;

  location / {
    root /www/html/;
    index index.html index.htm;
  }
}
  1. 验证nginx服务
    1. 重启服务
nginx -t
systemctl restart nginx
  1. 验证服务
curl -iv 127.0.0.1:443

web02配置

  1. 测试数据
mkdir -p /www/html/
echo "主机:192.168.108.131" > /www/html/index.html
chown -R nginx:nginx /www/html
  1. 配置nginx
    1. 主配置文件

配置文件路径:/etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}
  1. 子配置文件

配置文件路径:/etc/nginx/conf.d/web02.conf

server {
  listen 443;
  server_name wang.mingqu.com;
  charset utf-8;

  location / {
    root /www/html/;
    index index.html index.htm;
  }
}
  1. 验证nginx服务
    1. 重启服务
nginx -t
systemctl restart nginx
  1. 验证服务
curl -iv 127.0.0.1:443

配置负载

注意

移除其他测试配置文件

cd /etc/nginx/conf.d/
rename .conf .bak *.conf

测试数据

mkdir -p /www/html/localhost
echo "主机:192.168.108.129" > /www/html/localhost/index.html
chown -R nginx:nginx /www/html

主配置文件

配置文件路径:/etc/nginx/nginx.conf

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    rewrite_log     on;
    keepalive_timeout  65;

    #gzip  on;

    include /etc/nginx/conf.d/*.conf;
}

子配置文件

配置文件路径:/etc/nginx/conf.d/proxy.conf

upstream web {
  server 192.168.108.130:443;
  server 192.168.108.131:443;
}

server {
  listen 80;
  server_name wang.mingqu.com;
  charset utf-8;

  location / {
    proxy_pass http://web;
  }

  location /localhost {
    root /www/html/;
    index index.html index.htm;
  }
}

验证服务

  1. 重启nginx
nginx -t
systemctl restart nginx
  1. 验证nginx
    1. 负载均衡本地服务

image.png

  1. 负载均衡后端服务

image.png
image.png

HTTPS跳转配置

证书文件

mkdir -p /etc/nginx/ssl_key
cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/
cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/
chown -R nginx:nginx /etc/nginx/ssl_key/

配置文件调整

upstream web {
  server 192.168.108.130:443;
  server 192.168.108.131:443;
}

server {
  listen 443 ssl;
  server_name wang.mingqu.com;
  charset utf-8;

  #配置https证书
  #ssl on; 新版本nginx中无需添加此行。

  #证书的存放路径
  ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt;
  ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key;

  #证书的缓存有效期
  ssl_session_timeout 5m;
  #证书的加密算法
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  #安全链接可选的加密协议
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  #使用服务器端的首选算法
  ssl_prefer_server_ciphers on;

  location / {
    proxy_pass http://web;
    include proxy_params;
  }
}

#跳转HTTPS
server {
  listen 80;
  server_name wang.mingqu.com;
  charset utf-8;

  #server_name:表示访问的域名,也可以使用变量$host;
  #server_name,跟定义的配置文件的server_name有关;
  #host,则是用户输入的内容;
  #request_uri:表示访问时域名后所有内容。
  rewrite .* https://$server_name$request_uri redirect;
  ##写法二:
  #rewrite .* https://$host$request_uri redirect;
  ##写法三:
  #rewrite (.*)  https://$server_name$1 redirect;
}

测试HTTPS跳转

image.png
image.png
image.png

  • 13
    点赞
  • 27
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值