nginx配置https访问
一、生成证书
1. 将如下信息生成一个脚本文件,叫做 generate.sh
read -p "Please input alias:" alias
read -p "Please input domain name or ip address:" domain
read -p "Please input password:" password
echo "alias: $alias"
echo "dname: CN=$domain"
echo "password: $password"
keytool -genkey -alias $alias -keyalg RSA -keypass $password -storepass $password -keystore $alias.jks -validity 3650 -dname "CN=$domain,OU=localhost,O=localhost,L=localhost,ST=localhost,C=localhost" -ext SAN=ip:$domain
#这行命令可以不要,之后需要将jks转码重新生成pem文件,否则配置nginx会不好使
keytool -certreq -alias $alias -keyalg RSA -keypass $password -storepass $password -keystore $alias.jks -file $alias.pem
keytool -export -trustcacerts -alias $alias -file $alias.cer -keystore $alias.jks -storepass $password
2. 执行脚本,生成证书
echo -e "weblogic\n192.168.1.6\npassword\n" | sh generate.sh
3. 将.jks文件转为.p12(PKCS12格式证书库)
keytool -importkeystore -srckeystore weblogic.jks -destkeystore weblogic.jks -deststoretype pkcs12
4. 将cer格式证书转为pem格式
openssl x509 -inform der -in weblogic.cer -out server.pem
5. 提取私钥
openssl pkcs12 -nocerts -nodes -in weblogic.jks -out server.key
二、配置Nginx https访问
#负载均衡配置
upstream tomcat {
#访问http配置
# server ip:8080;
#访问https配置,需要加443
server www.baidu.com:443;
}
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /data/cer1/server.pem;
ssl_certificate_key /data/cer1/server.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
location /tomcat1 {
#直接转发
# proxy_pass https://www.baidu.com/;
#做负载,需要加 proxy_set_header,否则无法访问
proxy_pass https://tomcat/;
proxy_set_header Host "www.baidu.com";
}
}
注意事项
1. 启动注意
启动报错一:
[root@VM-16-11-centos conf]# systemctl status nginx.service
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/nginx.service.d
└─override.conf
Active: failed (Result: exit-code) since Wed 2021-03-31 18:39:35 CST; 11s ago
Docs: man:systemd-sysv-generator(8)
Process: 767 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
Mar 31 18:39:35 VM-16-11-centos systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
Mar 31 18:39:35 VM-16-11-centos nginx[767]: Starting nginx: nginx: [emerg] cannot load certificate "/data/cer/weblogic.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06...CERTIFICATE)
Mar 31 18:39:35 VM-16-11-centos nginx[767]: [FAILED]
Mar 31 18:39:35 VM-16-11-centos systemd[1]: nginx.service: control process exited, code=exited status=1
Mar 31 18:39:35 VM-16-11-centos systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Mar 31 18:39:35 VM-16-11-centos systemd[1]: Unit nginx.service entered failed state.
Mar 31 18:39:35 VM-16-11-centos systemd[1]: nginx.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
启动报错二:
[root@VM-16-11-centos conf]# systemctl status nginx.service
● nginx.service - SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server
Loaded: loaded (/etc/rc.d/init.d/nginx; bad; vendor preset: disabled)
Drop-In: /etc/systemd/system/nginx.service.d
└─override.conf
Active: failed (Result: exit-code) since Wed 2021-03-31 18:41:53 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 1180 ExecStart=/etc/rc.d/init.d/nginx start (code=exited, status=1/FAILURE)
Mar 31 18:41:52 VM-16-11-centos systemd[1]: Starting SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server...
Mar 31 18:41:53 VM-16-11-centos nginx[1180]: Starting nginx: nginx: [emerg] cannot load certificate key "/data/cer/server.key": PEM_read_bio_PrivateKey() failed (SSL: error:09...PRIVATE KEY)
Mar 31 18:41:53 VM-16-11-centos nginx[1180]: [FAILED]
Mar 31 18:41:53 VM-16-11-centos systemd[1]: nginx.service: control process exited, code=exited status=1
Mar 31 18:41:53 VM-16-11-centos systemd[1]: Failed to start SYSV: Nginx is an HTTP(S) server, HTTP(S) reverse proxy and IMAP/POP3 proxy server.
Mar 31 18:41:53 VM-16-11-centos systemd[1]: Unit nginx.service entered failed state.
Mar 31 18:41:53 VM-16-11-centos systemd[1]: nginx.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
原因:
证书生成问题,建议按顺序执行命令,重新生成证书
2. 对https请求做负载时注意
对https访问做负载时异常
2021/03/31 22:06:02 [error] 30311#0: *101 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 118.199.147.23, server: localhost, request: "GET /tomcat1 HTTP/1.1", upstream: "https://220.181.38.150:80/", host: "82.156.116.92"
2021/03/31 22:06:02 [error] 30311#0: *101 SSL_do_handshake() failed (SSL: error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol) while SSL handshaking to upstream, client: 118.199.147.23, server: localhost, request: "GET /tomcat1 HTTP/1.1", upstream: "https://220.181.38.149:80/", host: "82.156.116.92"
原因:nginx.conf 文件配置错误
#错误配置
upstream tomcat {
server www.baidu.com;
}
location /tomcat1 {
proxy_pass https://tomcat/;
}
#正确配置
upstream tomcat {
server www.baidu.com:443;
}
location /tomcat1 {
proxy_pass https://tomcat/;
proxy_set_header Host "www.baidu.com";
}
proxy_set_header 作用:(未理解,先记一笔)
- 重定义发往后端服务器的请求头。
- 当设置
proxy_set_header Host $proxy_host
时,会重新设置请求头的Host信息; - 当设置
proxy_set_header Host $http_host
时,不会重新设置请求头的Host信息; - 当直接设置
proxy_set_header Host “要访问的域名”
时,效果与 $proxy_host 一致。 - 如果当前模块中没有proxy_set_header的设置,则会从上级别继承配置。继承顺序为:http, server, location。