nginx开启https功能

http:80

https:443 下边这种协议比http要安全,因为数据传输是经过加密的

当访问http://www.baidu.com的时候,访问的url会跳转到https://www.baidu.com

一.https简介

1.https其实是由两部分组成的:HTTP+SSL/ TLS,也就是在HTTP上有加了一层加密处理信息的模块。服务端和客户端信息传输都会通过TLS进行加密,所以传输的数据都是加密。具体时间如何进行加密,解密,验证的,且看下图

nginx开启https功能_第1张图片

搭建https网站:

1.先安装依赖包

yum -y install porc-devel zlib-devel popt-devel openssl-devel openssl

2.创建nginx用户

useradd -M -s /sbin/nologin nginx

3.安装nginx

wget http://nginx.org/download/nginx-1.20.2.tar.gz
tar zxf nginx-1.20.2.tar.gz -C /usr/local/
./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-file-aio --with-http_stub_status_module --with-http_gzip_static_module --with-http_flv_module --with-http_ssl_module --with-pcre && make && make install ##编译安装
ln -s /usr/local/nginx/sbin/ /usr/local/bin/   ####软连接

4.生成证书:

openssl genrsa -des3 -out server.key 1024  ###grnrsa生成证书  ####server.key证书的名字  ####1024字节
Generating RSA private key, 1024 bit long modulus
....++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:                ####输入密码
Verifying - Enter pass phrase for server.key:    ####再次输入密码

5.创建一个证书申请:

openssl req -new -key server.key -out server.key
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ                                      ##哪个国家
State or Province Name (full name) []:BJ                                  ##哪个市区
Locality Name (eg, city) [Default City]:BJ                                ##默认城市
Organization Name (eg, company) [Default Company Ltd]:BDGJ                ##公司名称
Organizational Unit Name (eg, section) []:IT                              ##单位名称
Common Name (eg, your name or your server's hostname) []:www.benet.com    ##服务器主机名等
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

其他默认回车 

6.备份一份服务器密钥

cp server.key server.key.org

7.去除文件口令

[root@localhost ~]# openssl rsa -in server.key.org -out server.keyEnter pass phrase for server.key.org:  ##输入密码
writing RSA key

8.生成证书文件

[root@localhost ~]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=BG/ST=BG/L=BG/O=BG/OU=qwe/CN=qwe/emailAddress=qwe
Getting Private key

##证书以.crt结尾的
##x509是证书的格式
##-req 申请的意思
##-days 365 生效一年
##-in server.csr 指定证书申请文件
##-signkey server .key 指定私钥
##-out 输出证书文件

9.开始修改配置文件

    server { 
        listen       443 default ssl;       ##默认ssl 
        ssl_certificate ssl/server.crt;     ##指定证书文件
        ssl_certificate_key ssl/server.key; ##指定私钥文件
        #ssl on;                                    ##nginx版本大>于1.15.就不用写
        server_name  www.benet.com;
        location / {
            root   html;
            index  index.html index.htm;
        }
    }

10.创建目录mkdir -p /usr/local/nginx/conf/ssl

将证书与私钥放进去cp server.crt server.key /usr/local/nginx/conf/ssl

重启服务

11.但是访问http:的话会找不到网页,再写一个访问www.benet.com的时候全部都给https://

   server { 
        listen 80;
        server_name www.benet.com;
        rewrite ^(.*) https://$host$1 permanent;
        } 

你可能感兴趣的:(https,http,网络协议)