1.https基本概述
为什么需要使用HTTPS, 因为HTTP不安全
1.传输数据被中间人盗用, 信息泄露
2.数据内容劫持, 篡改
https小知识
https证书购买选择
专业版OV型证书
不显示企业名称
增强型EV 型证书
显示企业名称
https证书购买类型
保护1个域名 www
保护5个域名 www blog
通配符域名 *.chenjiangfeng.com
https注意事项
https不支持三级域名解析
https不支持续费,证书到期需重新申请进行替换
https显示绿色,代表整个网站的URL均为https的。
https显示×××,因为网站代码中包含http的不安全连接
https显示红色,证书为假或者证书过期
2.HTTPS配置场景
1、配置苹果要求的证书
1.服务器所有连接使用TLS1.2以上版本(openssl 1.0.2)
2.HTTPS证书必须使用SHA256以上哈希算法签名
3.HTTPS证书必须使用RSA 2048位或ECC256位以上公钥算法
4.使用前向加密技术
2、秘钥生成操作步骤
1.生成key密钥
2.生成证书签名请求文件(csr文件)
3.生成证书签名文件(CA文件)
3、检查当前环境
1. openssl必须是1.0.2
[root@web-node01 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
2. nginx必须有ssl模块 [root@web-node01 ~]# nginx -V --with-http_ssl_module 3. 创建证书存放路径 [root@web-node01 ~]# mkdir /etc/nginx/ssl_key
[root@web-node01 ~]# cd /etc/nginx/ssl_key/
4. 使用OpenSSL充当CA权威机构创建私钥(生产不可能使用此方式生成证书,不被互联网CA权威承认的黑户证书)
[root@web-node01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........+++
..........+++
e is 65537 (0x10001)
Enter pass phrase for server.key:密码
Verifying - Enter pass phrase for server.key:密码
[root@web-node01 ssl_key]#
5. 生成使用签名请求证书和私钥生成自签证书
[root@web-node01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..............................................+++
....................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:ZJ #省分
Locality Name (eg, city) [Default City]:HZ #城市
Organization Name (eg, company) [Default Company Ltd]:CHENJF #公司
Organizational Unit Name (eg, section) []:CHENJF #
Common Name (eg, your name or your server's hostname) []:CJF #
Email Address []:[email protected]
[root@web-node01 ssl_key]#
注释:
req --->用于创建新的证书
new --->表示创建的是新证书
x509 --->表示定义证书的格式为标准格式
key --->表示调用的私钥文件信息
out --->表示输出证书文件信息
days --->表示证书的有效期
3.HTTPS配置场景
1.https配置语法
是否开启SSL
Syntax: ssl on | off; Default: ssl off; Context: http, server 密钥文件存放位置 Syntax: ssl_certificate file; Default: — Context: http, server KEY的存放位置 Syntax: ssl_certificate_key file; Default: — Context: http, server
2.配置nginx
[root@web-node01 conf.d]# cat https.conf
server {
listen 443;
server_name www.chenjiangfeng.com;
ssl on;
root html/https;
index index.html index.htm;
ssl_certificate cert/a.pem;
ssl_certificate_key cert/a.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root https;
index index.html index.htm;
}
}
3. 重启nginx服务
[root@web-node01 ~]# systemctl restart nginx
4. 客户端访问测试
客户端以http://www.chenjiangfeng.com
客户端以 https://www.chenjiangfeng.com
点击高级,继续前往www.chenjiangfeng.com(不安全)
5. 以上配置如果用户忘记在浏览器地址栏输入https://那么将不会跳转至https, 需要将访问http强制跳转https。
[root@web-node01 conf.d]# cat https.conf
server {
listen 443;
server_name www.chenjiangfeng.com;
ssl on;
root html/https;
index index.html index.htm;
ssl_certificate cert/a.pem;
ssl_certificate_key cert/a.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM- SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root https;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.chenjiangfeng.com;
rewrite (.*) https://$server_name$request_uri redirect;
}
6.重启nginx服务
[root@web-node01 ~]# systemctl restart nginx
7.客户端http://www.chenjiangfeng.com访问
