Concepts HTTPs (secure)
1. Confidentiality of data
Data transmission may be seen by a third party at any time
Solution:
a>
b> symmetric encryption private key and public transmission hair
2. Data integrity
Data transmission can not be free to allow anyone to modify
Solution:
Symmetric encryption algorithm. Protect public and private signature
3. Authentication problem
For the first time when communication is required to confirm the identity of both the right
Solution: asymmetric private key encryption algorithm save on the server, the public key distribution
=== public key certificate (ID card)
CA Certificate Authority
Jump to realize HTTP access to HTTPS
Website achieve pseudo-static configuration
First course: to create private and public keys (certificates)
cd / etc / nginx / OpenSSL genrsa -idea - OUT server.key 2048 genrsa --- create what type of private IDEA --- need to set the password to the private key file OUT --- created to generate a private key file openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt REQ --- create a certificate file Days --- certificate file is valid (the default day) X509 --- certificate file formats sha256 --- specifies the algorithm to generate the certificate Nodes --- removal certificate private key password generation KEYOUT --- specify the private key file to load OUT --- generated certificate information
Second course: in nginx program, write a configuration file to open HTTPS function, load the private and public information
ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; [root@web02 nginx]# cat /etc/nginx/conf.d/www.conf server { listen 443 ssl; server_name www.oldboy.com www.jd.com; root /html/www; index index.html; ssl_certificate server.crt; ssl_certificate_key server.key; }
Third course: HTTP access HTTPS jump function configuration
server { listen 80; server_name www.oldboy.com; rewrite ^/(.*)$ https://$host/$1 redirect; } server { listen 443 ssl; server_name www.oldboy.com www.jd.com; root /html/www; index index.html; ssl_certificate server.crt; ssl_certificate_key server.key; }
HTTPs load balancing to achieve access to the process
One way: the whole network servers are configured certificate and private key information
User Client Access LB01 --- --- Web node www.oldboy.com http://www.oldboy.com https://www.oldboy.com ---> listen 443 ssl First course: Writing lb load balancing configuration file upstream oldboy { #server 10.0.0.7:443; server 10.0.0.8:443; #server 10.0.0.9:80; } server { listen 80; server_name localhost; rewrite ^/(.*)$ https://$host/$1 redirect; } server { listen 443 ssl; server_name localhost; ssl_certificate server.crt; ssl_certificate_key server.key; location / { proxy_pass https://oldboy; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } Second Course: web Node Configuration server { listen 443 ssl; server_name www.oldboy.com www.jd.com; root /html/www; index index.html; ssl_certificate server.crt; ssl_certificate_key server.key; }
Second way: load balancing server configuration certificate and private key information
User Client Access LB01 --- ---> Web node www.oldboy.com http://www.oldboy.com https://www.oldboy.com ---> listen 80 First course: load balancing configuration information upstream oldboy { #server 10.0.0.7:443; server 10.0.0.8:80; #server 10.0.0.9:80; } server { listen 80; server_name localhost; rewrite ^/(.*)$ https://$host/$1 redirect; } server { listen 443 ssl; server_name localhost; ssl_certificate server.crt; ssl_certificate_key server.key; location / { proxy_pass http://oldboy; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } Second Course: web node configuration information server { listen 80; server_name www.oldboy.com www.jd.com; root /html/www; index index.html; }
Use HTTPs access dynamic page wordpress
First course: Edit Profile Information Modify the load balancing configuration file: upstream oldboy { #server 10.0.0.7:443; server 10.0.0.8:443; #server 10.0.0.9:80; } server { listen 80; server_name localhost; rewrite ^/(.*)$ https://$host/$1 redirect; } server { listen 443 ssl; server_name localhost; ssl_certificate server.crt; ssl_certificate_key server.key; location / { proxy_pass https://oldboy; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } web server configuration server { listen 443 ssl; server_name blog.oldboy.com blog.oldgirl.com; ssl_certificate server.crt; ssl_certificate_key server.key; location / { root /html/blog; index index.php index.html; } location ~ \.php$ { root /html/blog; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi_params; } } Second course: Modify wordpress background information Modify the address for the HTTPS: // blog.oldboy.com third course: nginx restart the program