SSL
SSL:安全套接字层,由Netscape公司于1994年创建,它旨在通过Web创建安全的Internet通信。
它是一种标准协议,用于加密浏览器和服务器之间的通信。它允许通过Internet安全轻松地传输账号密码、银行卡、手机号等私密信息。.
SSL常见应用:
https:启用ssl加密的安全HTTP传输协议
ipsec vpn
PKI
公钥基础设施,主要功能是绑定证书持有者的身份和相关的密钥对(通过为公钥及相关的用户身份信息签发数字证书),为用户提供方便的证书申请、证书作废、证书获取、证书状态查询的途径,并利用数字证书及相关的各种服务(证书发布,黑名单发布,时间戳服务等),实现通信中各实体的身份认证、完整性、抗抵赖性和保密性.标准:x.509
证书
CA:证书颁发机构
RA:证书注册机构
证书的内容
- 申请者的公钥
- 申请者的身份标识
- 证书有效期
- 颁发者的标识
- 颁发者的签名
HTTPS证书的选择
- 专业版OV型 不显示企业名
- 高级版EV型 显示企业名
HTTPS证书购买选择
- 单域名:仅能绑定一个域名
- 多域名:能绑定五个域名
- 通配符域名:不限个数
HTTPS注意事项
- https仅支持二级域名
- https不支持续费,证书到期重新申请替换
- https显示绿色,说明整个网站都是https的
- https显示黄色,网站代码中包含https不安全链接
- https显示红色,证书不认或过期
企业内部实现https案例
- 生成key密钥
- 生成证书签名请求文件(csr文件)
- 生成证书签名文件(ca文件)
1.查看是否安装openssl和版本
[root@LNMP-1 ~]# rpm -q openssl
openssl-1.0.2k-16.el7.x86_64
[root@LNMP-1 ~]# yum -y install openssl
[root@LNMP-1 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
查看nginx是否安装ssl模块
[root@LNMP-1 ~]# nginx -V
显示结果包含: --with-http_ssl_module
2.创建ssl密钥目录
[root@LNMP-1 ~]# mkdir -p /etc/nginx/ssl_key
[root@LNMP-1 ~]# cd /etc/nginx/ssl_key/
3.证书颁发机构,创建私钥
本机当CA
[root@LNMP-1 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............................+++
............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
4.生成证书,去掉私钥的密码
[root@LNMP-1 ssl_key]# openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
...+++
....................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@LNMP-1 ssl_key]#
5.配置https网站
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/https.conf
server {
listen 443 ssl;
server_name https.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /httpsweb;
index index.html;
}
}
[root@LNMP-1 ~]# mkdir /httpsweb
[root@LNMP-1 ~]# echo "<h1>https.benet.com</h1>" > /httpsweb/index.html
[root@LNMP-1 ~]# systemctl restart nginx
6.客户机修改hosts文件,使用https://https.benet.com访问测试。
[root@localhost ~]# cat /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.1.11 https.benet.com
7.rewrite地址重写(https重定向到http)
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/https.conf
......
server {
listen 80;
server_name https.benet.com; // 以下选一种即可
# rewrite .* https://https.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
模拟案例(配置负载均衡)
使知乎使用https://zh.benet.com访问
(1)配置LNMP-1的zh(LNMP-2一样)
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/zh.conf
server {
listen 443 ssl;
server_name zh.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /zh;
index index.php index.html;
location ~ \.php$ {
root /zh;
fastcgi_pass 192.168.1.110:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name zh.benet.com;
rewrite .* https://$server_name$1 redirect;
}
[root@LNMP-1 ~]# nginx -t
[root@LNMP-1 ~]# systemctl restart nginx
(2)配置负载均衡lb1(lb2一样)
[root@lb1 ~]# vim /etc/nginx/conf.d/lb1.conf
upstream web_cluster {
server 192.168.1.109:443;
server 192.168.1.111:443;
}
server {
listen 443 ssl;
server_name zh.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_cluster;
include nginx_params;
}
}
server {
listen 80;
server_name zh.benet.com;
return 302 https://$server_name$1;
}
[root@lb1 ~]# nginx -t
[root@lb1 ~]# systemctl restart nginx
(3)使用https://zh.benet.com访问知乎网页