SLL workflow:
Https browser sends a request to the server; the server should have a digital certificate, you can make your own (operating certificate behind Ah Ming is to produce their own), may also apply to the organization, the difference is a certificate issued by their own need for client-side validation by before they can continue to access, and use a trusted certificate is not filed for pop> prompt page, this certificate is actually a public and a private key; the server will transmit the public key to the client; the client (browser device) after receiving the public key, verifies whether valid, a warning alert is invalid, a valid string of random numbers is generated, and the received encrypted with the public; client to transmit the encrypted random string to the server ; after the server receives the encrypted random character string, to decrypt the private key (public key encryption, decryption private key), the random number acquired this string, then this string of random data string encrypted transmission (the encrypted symmetric encryption, called symmetrical encryption, the data is private and is the random string> mixed together by some algorithm, so unless known Private road, or can not get the data content); server transfers the data encrypted to the client; the client receives the data, then that is their own private key to decrypt the random string;
First, the experiment
Before configure SSL, you need to check whether the module has nginx --with-http_ssl_module, if there is no need to recompile the module nginx, with reference to the specific operation nginx compiler installation document, the command openssl openssl packages need to get! !
1: Generate a private key
[root@proxy conf ~]#
openssl genrsa -des3 -out tmp.key 2048
2: Convert the private key, remove the password
[root@proxy conf ~]#
openssl rsa -in tmp.key -out test.key
3: Delete the original private key file
[root@proxy conf ~]#
rm -f tmp.key
4:生成证书请求文件,需要拿这个文件和私钥一起生产公钥文件
[root@proxy conf ~]# openssl req -new -key test.key -out test.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CA
State or Province Name (full name) []:CA
Locality Name (eg, city) [Default City]:CA
Organization Name (eg, company) [Default Company Ltd]:CA
Organizational Unit Name (eg, section) []:CA
Common Name (eg, your name or your server's hostname) []:test
Email Address []:CA
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
5:
自己签发证书
[root@proxy conf ~]#
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CA/ST=CA/L=CA/O=CA/OU=CA/CN=test/emailAddress=CA
Getting Private key
6:生成之后,配置nginx配置文件
[root@proxy vhosts ~]#
vim test.conf
server
{
listen 443; ##开启https监听的443端口
server_name www.test.com;
index index.html index.php;
ssl on; ##on表示开启SSL,off关闭。
ssl_certificate test.crt; ##填写证书的名称
ssl_certificate_key test.key; ##填写秘钥的名称
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location /{
proxy_pass http:///192.168.1.10:8088;
proxy_set_header Host $proxy_Host;
}
}
说明:如果以上配置访问只能实现https访问,如果实现http和https同时能够进行访问,需要去掉ssl on这一项配置, 在listen 443 后面加ssl即可,注意需要将两个server分开写,写在一个server里会有问题,配置如下
server {
listen 80;
server_name www.test.com ;
access_log /data/nginx_log/test-access.log;
error_log /data/nginx_log/test-error.log;
rewrite ^(.*)$ https://www.test.com/$1 permanent; ##永久重定向,访问网页强制跳转到https
location /{
proxy_pass http:///192.168.1.10:8088;
proxy_set_header Host $proxy_Host;
}
}
server{
listen 443 ssl;
server_name www.test.com;
ssl_certificate test.crt;
ssl_certificate_key test.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location /{
proxy_pass http://192.168.1.10:8088;
proxy_set_header Host $proxy_Host;
}
}