2.1Nginx单台实现HTTPS实战
nginx必须有ssl模块
[root@web01 ~]# nginx -V
--with-http_ssl_module
创建存放ssl证书的路径
[root@web01 ~]# mkdir -p /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key
2.2使用openssl命令充当CA权威机构创建证书(生产不使用此方式生成证书,不被互联网认可的黑户证书)
[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
............................................+++
e is 65537 (0x10001)
密码暂时使用1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@web01 ssl_key]# ls
server.key
2.3 生成自签证书,同时去掉私钥的密码
[root@web03 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:chinese^H^H
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:cha^H^[[A^[[B
Locality Name (eg, city) [Default City]:beijin
Organization Name (eg, company) [Default Company Ltd]:shiwei
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:haoda.com
Email Address []:[email protected]
req --> 用于创建新的证书
new --> 表示创建的是新证书
x509 --> 表示定义证书的格式为标准格式
key --> 表示调用的私钥文件信息
out --> 表示输出证书文件信息
days --> 表示证书的有效期
2.4 证书申请完成后需要了解Nginx如何配置https
启动ssl功能
Syntax: ssl on | off;
Default: ssl off;
Context: http,server
证书文件
Syntax: ssl_certificate file;
Default: -
Context: http,server
私钥文件
Syntax: ssl_certificate_key fil;
Default: -
Context: http,server
2.5 Nginx配置https实例
[root@web01 conf.d]# cat ssl.conf
server {
listen 443 ssl;
server_name s.haoda.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}
配置将用户访问http请求强制跳转https
server {
listen 80;
server_name s.haoda.com;
return 302 https://$server_name$request_uri;
}
准备对应的站点目录,并重启Nginx
[root@web01 conf.d]# echo "123" > /code/index.html
[root@web01 conf.d]# nginx -s reload
- Nginx集群实现HTTPS实践
实战Nginx负载均衡+Nginx WEB配置HTTPS安全
3.1 环境准备
主机名 外网IP(NAT) 内网IP(LAN) 角色
lb01 10.0.0.5 172.16.1.5 负载均衡
web02 10.0.0.8 172.16.1.8 web服务器
web03 10.0.0.9 172.16.1.9 web服务器
3.2 配置web02、web03服务器监听80端口
[root@web02 conf.d]# cat ssl.conf
server {
listen 80;
server_name s.haoda.com;
location / {
root /code;
index index.html;
}}
web03配置相同
3.3 把证书直接拿到lb服务器
[root@lb01 conf.d]# cd ..
[root@lb01 nginx]# scp -rp 172.16.1.9:/etc/nginx/ssl_key ./
3.4 配置lb01的nginx配置
[root@lb01 conf.d]# cat proxy_ssl.conf
upstream website {
server 172.16.1.8:80;
server 172.16.1.9:80;
}
server {
listen 443 ssl;
server_name s.haoda.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://website;
proxy_set_header Host $http_host;
}
}
server {
listen 80;
server_name s.haoda.com;
return 302 https://$server_name$request_uri;
}
3.5 浏览器访问查看
- 真实业务场景实现HTTPS实践
4.1 配置知乎、博客对应的负载均衡lb01服务器的配置
web01
[root@web01 conf.d]# vim ssl.conf
server {
listen 80;
server_name blog.drz.com;
location / {
root /code/wordpress;
index index.php index.html;
}
}
web02
[root@web02 conf.d]# cat ssl.conf
server {
listen 80 ;
server_name zh.drz.com;
location / {
root /code/zh;
index index.php index.html;
}
}
[root@lb01 nginx]# cat proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;
[root@lb01 conf.d]# cat proxy_wp.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
用户的http请求跳转至https
server {
listen 80;
server_name blog.drz.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name zh.drz.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443;
server_name blog.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
server {
listen 443;
server_name zh.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
重启负载nginx
[root@lb01 conf.d]# nginx -s reload
4.2 浏览器查看效果
4.3 修正乱码效果,配置知乎、博客对应的web服务器的配置
负载访问使用的https后端web使用的是http,对于PHP来说他并不知道用的到底是什么所以会出现错误;
修正该问题配置
[root@web01 conf.d]# cat zh.conf
server {
listen 8866;
server_name zh.drz.com;
root /code/zh;
index index.php index.html;
location ~ \.php$ {
root /code/zh;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#告诉PHP我前置的负载使用的是https协议
fastcgi_param HTTPS on;
include fastcgi_params;
}}
[root@web02 conf.d]# cat wordpress.conf
server {
listen 80;
server_name blog.drz.com;
root /code/wordpress;
index index.php index.html;
client_max_body_size 100m;
location ~ \.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}}
重启两台nginx
[root@web01 conf.d]# nginx -s reload
[root@web02 conf.d]# nginx -s reload
[root@lb01 conf.d]# cat proxy_wp.conf
upstream blog {
server 172.16.1.7:8866;
server 172.16.1.8:80;
}
用户的http请求跳转至https
server {
listen 80;
server_name blog.drz.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name zh.drz.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443;
server_name blog.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
server {
listen 443;
server_name zh.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}
4.4 浏览器再次查看效果
wordpress早期安装如果是使用的http方式,那开启https后会导致图片出现破损或加载不全的情况
建议:1、在安装WordPress之前就配置好https;2、在WordPress后台管理页面,设置-->常规-->修改(WordPress地址及站点地址)为 https://3、注意:WordPress很多链接在安装时被写入数据库中。
4.5 配置PHPmyadmin负载均衡lb01服务器的配置
[root@lb01 conf.d]# cat proxy_php.conf
upstream php {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
server_name php.haoda.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name php.haoda.com;
location / {
proxy_pass http://php;
include proxy_params;
}
}
4.6 浏览器查看效果
4.7 配置PHPmyadmin的web服务器配置
[root@web01 conf.d]# cat php.conf
server {
listen 80;
server_name php.haoda.com;
root /code/phpMyAdmin-4.9.0.1-all-languages;
location / {
index index.php index.html;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}}
4.8 浏览器再次查看效果
