I’m working on a small program recently, and calling the background interface requires an https protocol request. The reason why the applet requires this is also because the http protocol transmits file data in clear text. For data security reasons, the https protocol must be used.
To implement http as https, you need to configure ssl and the certificate it uses. These are supported by the dedicated mod_ssl module in http.
yum -y install mod_ssl #Install mod_ssl module
After installing the module, it will automatically modify the configuration file, add LoadModule ssl_module modules/mod_ssl.so in httpd's sub-configuration file /etc/httpd/conf.d/ssl.conf, and also open port 443 and specify The path where the certificate is stored. The reason is that during installation, there will be scripts in the installation package to generate the private key file /etc/pki/tls/private/localhost.key, and also generate the certificate file /etc/pki/tls/certs/localhost.crt, and this The certificate file is self-signed, and the https website can be accessed at this time. However, due to the problem with the certificate of the https server, it was issued to the wrong institution, not the corresponding site name. Therefore, it is necessary to re-apply to the CA, and only after obtaining the certificate issued by the CA can the https site be used correctly. (Reference: https://www.cnblogs.com/54db/p/7635254.html)
Since the default certificate cannot be used, you have to generate it yourself. There is a lot of information on the Internet. You can refer to the development documentation of the WeChat public platform: https://pay.weixin.qq.com/wiki/doc/api/jsapi.php ?chapter=10_4; The operation steps in the document are very detailed, but the most critical step: 3. Submit the generated csr file to a third-party certificate authority to apply for a server certificate for the corresponding domain name, and save the private key file to avoid loss . When I did this, I learned by the way that there are still a lot of CA institutions, and it is not clear how to operate this step. So at this time, I will check which institutions are there. If you want to know more, you can refer to this link on Zhihu. : https://www.zhihu.com/question/19578422; After understanding, I think Let's Encrypt is okay, mainly because it supports free, so I try it.
Note: The following domain name: test.example.comdoes not represent the real domain name, readers can change to their own domain name. (Reference: https://www.cnblogs.com/mawang/p/6758728.html)
Environment Description:
centos 7
nginx 1.12
Preliminary preparation
Software Installation
yum install -y epel-release
yum install -y certbot
Create directories and links
方法1:在网站根目录下创建一个.well-known的目录
方法2:
mkdir -p /usr/share/nginx/html/.well-known
配置nginx
server {
listen 80 default_server;
server_name test.example.com;
index index.html index.htm index.php;
root /usr/share/nginx/html;
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
} Execute the command to generate a certificate
certbot certonly --webroot -w /usr/share/nginx/html -d test.example.com
根据提示进行操作,一般可以正常生产证书文件。
证书文件的目录存放在: '/etc/letsencrypt/live/test.example.com/'
会有4个文件:
cert.pem
chain.pem
fullchain.pem
privkey.pem
nginx configure port 443
server {
listen 443 ssl http2;
server_name test.example.com;
index index.html index.htm index.php; root /usr/share/nginx/html; ssl_certificate /etc/letsencrypt/live/test.example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/test.example.com/privkey.pem; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; access_log off; } Regular update
crontab -e # 新增如下定时任务
10 6 * * * /bin/certbot renew --quiet &>/dev/null Let's Encrypt 的证书有效期为90天,如果证书的有效期大于30天,则上面命令不会真的去更新证书的。 https test
Enter https://example.com URL in the browser to verify