什么是https?
HTTP:是互联网上应用最为广泛的一种网络协议,是一个客户端和服务器端请求和应答的标准(TCP),用于从WWW服务器传输超文本到本地浏览器的传输协议,它可以使浏览器更加高效,使网络传输减少。
HTTPS:全称:Hyper Text Transfer Protocol over Secure Socket Layer,则是以安全为目标的HTTP通道,简单讲是HTTP的安全版,即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。
HTTPS协议的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。
1,安装nginx依赖和模块,下载nginx并安装
[root@ c7-42 ~]yum -y install zlib zlib-devel gcc-c++ libtool openssl openssl-devel pcre pcre-devel wget
[root@ c7-42 ~] wget http://nginx.org/download/nginx-1.14.2.tar.gz #下载nginx源码包
[root@ c7-42 ~] tar -zxf nginx-1.14.2.tar.gz #解压
[root@ c7-42 ~] cd nginx-1.14.2
[root@ c7-42 nginx-1.14.2] ./configure --with-http_stub_status_module --with-http_ssl_module #检测环境,指定模块
[root@ c7-42 nginx-1.14.2] make && make install #编译 安装
2,检查Nginx的SSL模块
[root@ c7-42 nginx-1.14.2] /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module #指定的模块
3,准备私钥和证书
[root@ c7-42 nginx-1.14.2] cd /usr/local/nginx/
[root@ c7-42 nginx] mkdir -p ssl
[root@ c7-42 nginx] cd ssl/
[root@ c7-42 ssl] openssl genrsa -des3 -out server.key 1024 #生成的私钥
Generating RSA private key, 1024 bit long modulus
.....................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: #123456
Verifying - Enter pass phrase for server.key: #123456
[root@ c7-42 ssl] ll #查看生成的私钥
total 4
-rw-r--r-- 1 root root 963 Apr 26 15:59 server.key
4,签发证书
[root@ c7-42 ssl] openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: #123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:BJ #省
Locality Name (eg, city) [Default City]:BJ #市
Organization Name (eg, company) [Default Company Ltd]:#SDU
Organizational Unit Name (eg, section) []: #BJ
Common Name (eg, your name or your server's hostname) []:##wjj
Email Address []:xxxxxxxxxxx@qq.com #邮箱名称
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #回车即可
An optional company name []: #回车即可
5,删除私钥口令
[root@ c7-42 ~] cd /usr/local/nginx/ssl
[root@ c7-42 ssl] cp server.key server.key.ori #备份一下
[root@ c7-42 ssl] openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key
6,生成使用签名请求证书和私钥生成自签证书
[root@ c7-42 ssl] openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=BJ/CN=wjj/emailAddress=912126002@qq.com
Getting Private key
7,修改配置文件,添加子配置文件
[root@ c7-42 ssl] mkdir -p /usr/local/nginx/conf/conf.d #创建子配置文件目录
[root@ c7-42 ssl] cat> /usr/local/nginx/conf/nginx.conf<<\EOF #修改配置文件
user nobody;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
include conf.d/*.conf;
}
EOF
8,启动,并查看进程
[root@ c7-42 ssl] /usr/local/nginx/sbin/nginx
[root@ c7-42 ssl] ps -ef|grep nginx
root 6789 1 0 16:13 ? 00:00:00 nginx: master process /usr/local/nginx/sbin/nginx
nobody 6872 6789 0 16:26 ? 00:00:00 nginx: worker process
root 6892 3804 0 16:36 pts/0 00:00:00 grep --color=auto nginx
9,创建子配置文件,重新加载启动
[root@ c7-42 ssl] cat >/usr/local/nginx/conf/conf.d/hack.conf<<\EOF
server {
listen 443 ssl;
server_name www.hack.com;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
location / {
#定义站点目录
root /usr/local/nginx/html;
index index.php index.html index.htm;
}
}
EOF
[root@ c7-42 ssl] /usr/local/nginx/sbin/nginx -t #加载
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ c7-42 ssl] /usr/local/nginx/sbin/nginx -s reload
10,绑定windows的hosts:
插入 10.0.0.42 www.hack.com
上传 hack.html 到/usr/local/nginx/html目录。
然后谷歌浏览器访问:https://www.hack.com/hack.html
此时,你会发现,http://www.hack.com/hack.html,浏览器访问不了了,需要进行rewrite跳转。
11,做rewrite跳转
以上配置有个不好的地方,如果用户忘了使用https或者443端口,那么网站将无法访问,因此需要将80端口的访问转到443端口并使用ssl加密访问。只需要增加一个server段,使用301永久重定向。
[root@ c7-42 ~] cat> /usr/local/nginx/conf/conf.d/hack.conf\<<EOF
server {
listen 80;
server_name www.hack.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name www.hack.com;
ssl on;
ssl_certificate /usr/local/nginx/ssl/server.crt;
ssl_certificate_key /usr/local/nginx/ssl/server.key;
location / {
#定义站点目录
root /usr/local/nginx/html;
index index.php index.html index.htm;
}
}
EOF
[root@ c7-42 ~] /usr/local/nginx/sbin/nginx -t #重新加载
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@ c7-42 ~] /usr/local/nginx/sbin/nginx -s reload #重启
浏览器访问 http://www.hack.com/hack.html,nginx会将请求跳转到 https://www.hack.com/hack.html,详细可以查看nginx日志。