HTTPS服務搭建

HTTPS協(xié)議搭建

在服務器上生成ssl證書
源文連接:https://www.cnblogs.com/clsn/p/7793682.html

1.下載軟件
yum install -y openssl openssl-devel

2.生成證書

[root@lb01 backup]#  openssl req -new -x509 -nodes -out server.crt -keyout server.key
 
 Generating a 2048 bit RSA private key
 ......................................................+++
 ...................................+++
 
 writing new private key to 'server.key'
 -----
 You are about to be asked to enter information that will be incorporated
 into your certificate request.
 What you are about to enter is what is called a Distinguished Name or a DN.
 There are quite a few fields but you can leave some blank
 For some fields there will be a default value,
 If you enter '.', the field will be left blank.
 -----
 Country Name (2 letter code) [XX]:CH        #國家名稱  
 State or Province Name (full name) []:bj       #省  
 Locality Name (eg, city) [Default City]:bj     #市   
 Organization Name (eg, company) [Default Company Ltd]:ZNIX   #組織名稱
 Organizational Unit Name (eg, section) []:ZNIX   #組織名稱
 Common Name (eg, your name or your server's hostname) []:ZNIX  #服務器名稱
 Email Address []:ADMIN@ZNIX.TOP    #郵箱

查看產(chǎn)生的證書

 [root@lb01 backup]# ls
 server.crt  server.key

生成的密鑰文件

 [root@lb01 backup]# ll
 total 8
 -rw-r--r-- 1 root root 1375 Nov  6 14:07 server.crt
 -rw-r--r-- 1 root root 1704 Nov  6 14:07 server.key

3.創(chuàng)建一個目錄
將生成的證書推送到/etc/nginx/ssl_key下

mkdir -p /etc/nginx/ssl_key

除去密碼

openssl rsa -in server.key -out server.key

4.修改nginx配置文件
為了配置文件中不那么亂,直接把參數(shù)寫到一個文件中,直接include調(diào)用就可以了

創(chuàng)建一個內(nèi)置變量的文件:
[root@lb01]# vim /etc/nginx/proxy_params 
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-For  $remote_addr;

proxy_connect_timeout  30;
proxy_send_timeout     60;
proxy_read_timeout     60;

proxy_buffer_size      32k;
proxy_buffering   on;
proxy_buffers   4   128k;
proxy_busy_buffers_size   256k;
proxy_max_temp_file_size  256k;

[root@lb01]# vim /etc/nginx/nginx.conf
...
    upstream  web_pools {
     server 10.0.0.7:80 weight=1 max_fails=3 fail_timeout=10s;
     server 10.0.0.8:80 weight=1 max_fails=3 fail_timeout=10s;
     }
#    include /etc/nginx/conf.d/*.conf;
     server {
     listen 80;
     server_name zh.etiantian.com;
     return   302  https://$server_name$request_uri;
     }
     server {
     listen 443 ssl;
     server_name zh.etiantian.com;
        ssl_certificate      ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
        ssl_session_timeout       5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        proxy_next_upstream http_404 http_502;
     location / {
        proxy_pass http://web_pools;
        include  proxy_params;
     }
}
     server {
     listen 80;
     server_name cms.etiantian.com;
     return   302  https://$server_name$request_uri;
}
     server {
     listen 443 ssl;
     server_name cms.etiantian.com;
        ssl_certificate  ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
        ssl_session_timeout       5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        proxy_next_upstream http_404 http_502;
     location / {
        proxy_pass http://web_pools;
        include  proxy_params;
         }  
     }    
     server {
     listen 80;
     server_name kdy.etiantian.com;
     return   302  https://$server_name$request_uri;
     }
     server {
     listen 443 ssl;
     server_name kdy.etiantian.com;
        ssl_certificate  ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
        ssl_session_timeout       5m;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        proxy_next_upstream http_404 http_502;
     location / {
        proxy_pass http://web_pools;
        include  proxy_params;
     }
}
}

5.去web服務器上添加

fastcgi_param HTTPS on
每個網(wǎng)站代碼都添加相同,此處列舉一個

[root@web01]# cat /etc/nginx/conf.d/01-blog.conf 
server {
    listen      80;
    server_name  zh.etiantian.com;
        access_log /app/log/nginx/access_blog.log main; 
    root /app/nginx/html/blog/;
    location / {
        index index.php index.html index.htm;
    }
       location ~* \.(php|php5)$ {
         fastcgi_pass   127.0.0.1:9000;
         fastcgi_index  index.php;
         fastcgi_param HTTPS on;    #添加這一行,不然假證書不識別,認為不安全網(wǎng)站
         fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
         include        fastcgi_params;
       }
}

若lb上設置了nginx關閉---關閉keepalived腳本,還需要啟動keepalived

多個站點使用同一個證書就好。

[16:13 root@lb01 nginx]# systemctl restart keepalived.service
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請聯(lián)系作者
【社區(qū)內(nèi)容提示】社區(qū)部分內(nèi)容疑似由AI輔助生成,瀏覽時請結(jié)合常識與多方信息審慎甄別。
平臺聲明:文章內(nèi)容(如有圖片或視頻亦包括在內(nèi))由作者上傳并發(fā)布,文章內(nèi)容僅代表作者本人觀點,簡書系信息發(fā)布平臺,僅提供信息存儲服務。

友情鏈接更多精彩內(nèi)容