Integrated network security access architecture _

Concepts HTTPs (secure)

1. Confidentiality of data

Data transmission may be seen by a third party at any time

Solution:

a>

 

b> symmetric encryption private key and public transmission hair 

 

 

 

 

 2. Data integrity

Data transmission can not be free to allow anyone to modify

 

Solution:

 

 Symmetric encryption algorithm. Protect public and private signature

 

 

 

3. Authentication problem

For the first time when communication is required to confirm the identity of both the right

 

 Solution: asymmetric private key encryption algorithm save on the server, the public key distribution

=== public key certificate (ID card)

CA Certificate Authority

Jump to realize HTTP access to HTTPS

Website achieve pseudo-static configuration

First course: to create private and public keys (certificates)

    cd / etc / nginx / 
    OpenSSL genrsa -idea - OUT server.key 2048 
    genrsa    --- create what type of private
    IDEA      --- need to set the password to the private key file
     OUT       --- created to generate a private key file
 
    openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
    REQ        --- create a certificate file
    Days       --- certificate file is valid (the default day)
    X509       --- certificate file formats
    sha256   --- specifies the algorithm to generate the certificate
    Nodes    --- removal certificate private key password generation
    KEYOUT   --- specify the private key file to load
     OUT      --- generated certificate information

 

 

 

 

 Second course: in nginx program, write a configuration file to open HTTPS function, load the private and public information

   ssl_certificate      ssl_key/server.crt;
    ssl_certificate_key    ssl_key/server.key;
    
    [root@web02 nginx]# cat /etc/nginx/conf.d/www.conf 
    server {
       listen            443 ssl;
       server_name       www.oldboy.com www.jd.com;
       root              /html/www;
       index             index.html;
       ssl_certificate      server.crt;
       ssl_certificate_key    server.key;
    }

Third course: HTTP access HTTPS jump function configuration

    server {
       listen            80;
       server_name       www.oldboy.com;
       rewrite  ^/(.*)$  https://$host/$1 redirect;
    }
    server {
       listen            443 ssl;
       server_name       www.oldboy.com www.jd.com;
       root              /html/www;
       index             index.html;
       ssl_certificate      server.crt;
       ssl_certificate_key    server.key;
    }

HTTPs load balancing to achieve access to the process

One way: the whole network servers are configured certificate and private key information

   User Client Access LB01 --- ---    Web node
    www.oldboy.com       http://www.oldboy.com
                         https://www.oldboy.com  --->  listen 443 ssl
    
    First course: Writing lb load balancing configuration file
    upstream oldboy {
      #server 10.0.0.7:443;
      server 10.0.0.8:443;
      #server 10.0.0.9:80;
    }    
    server {
          listen        80;
          server_name   localhost;
          rewrite  ^/(.*)$  https://$host/$1 redirect;
    }
    server {
      listen        443 ssl;
      server_name   localhost;
          ssl_certificate      server.crt;
          ssl_certificate_key    server.key;
      location / {
         proxy_pass  https://oldboy;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;      
      }
    }
    
    Second Course: web Node Configuration
    server {
       listen            443 ssl;
       server_name       www.oldboy.com www.jd.com;
       root              /html/www;
       index             index.html;
       ssl_certificate      server.crt;
       ssl_certificate_key    server.key;
    }

Second way: load balancing server configuration certificate and private key information

User Client Access LB01 --- --->    Web node
    www.oldboy.com       http://www.oldboy.com
                         https://www.oldboy.com  --->   listen 80

    First course: load balancing configuration information
    upstream oldboy {
      #server 10.0.0.7:443;
      server 10.0.0.8:80;
      #server 10.0.0.9:80;
    }    
    server {
          listen        80;
          server_name   localhost;
          rewrite  ^/(.*)$  https://$host/$1 redirect;
    }
    server {
      listen        443 ssl;
      server_name   localhost;
          ssl_certificate      server.crt;
          ssl_certificate_key    server.key;
      location / {
         proxy_pass  http://oldboy;
         proxy_set_header Host $host;
         proxy_set_header X-Forwarded-For $remote_addr;      
      }
    }
    
    Second Course: web node configuration information
    server {
       listen            80;
       server_name       www.oldboy.com www.jd.com;
       root              /html/www;
       index             index.html;
    }

Use HTTPs access dynamic page wordpress

 First course: Edit Profile Information
    Modify the load balancing configuration file:
    upstream oldboy {
          #server 10.0.0.7:443;
          server 10.0.0.8:443;
          #server 10.0.0.9:80;
        }
    server {
          listen        80;
          server_name   localhost;
          rewrite  ^/(.*)$  https://$host/$1 redirect;
    }
    server {
          listen        443 ssl;
          server_name   localhost;
          ssl_certificate       server.crt;
          ssl_certificate_key   server.key;
          location / {
             proxy_pass  https://oldboy;
             proxy_set_header Host $host;
             proxy_set_header X-Forwarded-For $remote_addr;
          }
     }
    
    web server configuration    
    server {
      listen       443 ssl;
      server_name   blog.oldboy.com blog.oldgirl.com;
      ssl_certificate       server.crt;
      ssl_certificate_key   server.key;
      location / {
          root         /html/blog;
          index        index.php index.html;
      }
      location ~ \.php$ {
          root /html/blog;
          fastcgi_pass  127.0.0.1:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
          fastcgi_param HTTPS on;
          include fastcgi_params;
      }
    }
    
    Second course: Modify wordpress background information
    Modify the address for the HTTPS: // blog.oldboy.com 
    
    third course: nginx restart the program

 

 

Guess you like

Origin www.cnblogs.com/zhanghongqi/p/11896540.html