你好
你最近过的好嘛?
【运维知识进阶篇】集群架构-HTTPS证书详解
HTTPS证书在企业中非常重要,因为HTTP不安全,采用HTTP协议容易受到劫持和篡改,如果是采用HTTPS,数据在传输过程中加密,可以避免报文信息被窃取篡改,避免网站传输时信息泄露。实现https,要了解SSL协议,现在我们使用的大多是TLS加密协议了,HTTPS运行在应用层,TLS应用在表示层,是SSL协议发挥作用的一层,使应用层的HTTP协议在没有感知的情况下实现了数据的加密传输。
HTTP加密传输流程
浏览器发起请求,服务端接收请求,返回给浏览器证书、证书中包含公钥,浏览器判断证书是否合法,如果不合法进行警告提示。如果合法,生成随机数,通过公钥加密随机数,把加密后的随机数传输给服务端,服务端通过私钥解密获得随机数,通过传入随机数的对称加密,对数据进行加密,将加密后的内容传输给浏览器,浏览器根据本地存储的随机数进行解密。
模拟网站被篡改
1、配置Nginx文件
[root@Web01 test]# cat /etc/nginx/conf.d/test.conf server {
listen 80;
server_name test.koten.com;
root /code/test;
index index.html;
charset utf-8;
}2、配置Nginx页面
[root@Web01 test]# cat /code/test/index.html
我是title
[root@Web01 test]# 3、查看Nginx页面
4、配置Nginx拦截服务器
[root@Web02 ~]# vim /etc/nginx/conf.d/jiechi_test.conf
upstream jiechi {
server 10.0.0.7:80;
}
server {
listen 80;
server_name test.koten.com;
location / {
proxy_pass http://jiechi;
proxy_set_header Host $http_host;
sub_filter '你好' '我好';
sub_filter '版权所有' ' 开源';
}
}
5、查看篡改后的内容
6、添加篡改广告
[root@web02 conf.d]# vim jiechi_test.conf
upstream jiechi {
server 10.0.0.7:80;
}
server {
listen 80;
server_name test.koten.com;
location / {
proxy_pass http://jiechi;
proxy_set_header Host $http_host;
sub_filter '你好' '花生瓜子烤鱼片';
sub_filter '版权所有' ' 
';
}
}
7、查看篡改界面
证书类型介绍
| 域名型DV | 企业型OV | 增强型EV | |
| 绿色地址栏 | 小锁标记+HTTPS | 小锁标记+HTTPS | 小锁标记+企业名称+HTTPS |
| 一般用途 | 个人站点,简单的HTTPS加密需求 | 电子商务站点和应用,中小型企业站点 | 大型金融平台,大型企业和政府机构站点 |
| 审核内容 | 域名所有权验证 | 全面的企业身份验证,域名所有权验证 | 最高等级的企业身份验证,域名所有权验证 |
| 颁发时长 | 几分钟-24小时 | 3-5工作日 | 5-7工作日 |
| 单次申请年限 | 1年 | 1-2年 | 1-2年 |
| 赔付保障金 | 无 | 125-175万美金 | 150-175美金 |
证书购买选择及注意事项
可以选择保护 一个域名www
五个域名www、images、cdn、test、m
通配符域名*.koten.com
注意
1、证书不支持续费,证书到期需要重新申请并进行替换
2、不支持三级域名解析,如test.m.koten.com
3、显示绿色,说明整个网站的URL都是HTTPS,显示黄色,说明网站代码中包含HTTP的不安全链接,显示红色,说明证书是假的或者证书过期。
Nginx单台服务器实现证书
1、Nginx上需要有--with-http_ssl_module模块,创建存放ssl证书的路径
[root@Web01 test]# mkdir -p /etc/nginx/ssl_key
[root@Web01 test]# cd /etc/nginx/ssl_key/
[root@Web01 ssl_key]# 2、使用openssl命令充当CA权威机构创建证书(生产不使用此方式生成证书,这是不被互联网认可的黑户证书)
[root@Web01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase for server.key: #输入密码6666
Verifying - Enter pass phrase for server.key:
[root@Web01 ssl_key]#
3、生成自签证书,同时去掉私钥的密码
[root@Web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..............................................................................+++
...+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BeiJing
Locality Name (eg, city) [Default City]:BeiJing
Organization Name (eg, company) [Default Company Ltd]:BeiJing
Organizational Unit Name (eg, section) []:BeiJing
Common Name (eg, your name or your server's hostname) []:koten.com
Email Address []:[email protected]
[root@Web01 ssl_key]#
# req --> 用于创建新的证书
# new --> 表示创建的是新证书
# x509 --> 表示定义证书的格式为标准格式
# key --> 表示调用的私钥文件信息
# out --> 表示输出证书文件信息
# days --> 表示证书的有效期4、修改Nginx配置文件
[root@Web01 ssl_key]# cat /etc/nginx/conf.d/test.conf
server {
listen 443 ssl;
server_name test.koten.com;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /code/test;
index index.html;
}
}
#配置将用户访问http请求强制跳转https
server {
listen 80;
server_name test.koten.com;
return 302 https://$server_name$request_uri;
}
[root@Web01 ssl_key]# systemctl restart nginx
[root@Web01 ssl_key]# echo '测试ssl' > /code/test/index.html 5、浏览器访问
Nginx集群实现证书
1、准备LB01(10.0.0.5、172.16.1.5)做负载均衡,Web02(10.0.0.8、172.16.1.8)、Web03(10.0.0.9、172.16.1.9)两台服务器
2、配置Web02、Web03服务器监听80端口
[root@Web02 ~]# cat /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name ssl.koten.com;
location / {
root /code/ssl;
index index.html;
}
}
[root@Web02 ~]# systemctl restart nginx
[root@Web03 ~]# cat /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name ssl.koten.com;
location / {
root /code/ssl;
index index.html;
}
}
[root@Web03 ~]# systemctl restart nginx
3、拷贝证书到LB服务器
[root@LB01 ~]# scp -rp 172.16.1.7:/etc/nginx/ssl_key /etc/nginx/
The authenticity of host '172.16.1.7 (172.16.1.7)' can't be established.
ECDSA key fingerprint is SHA256:zQvI/tCFYssR7l6cr90EtaIA93FXJp8FmUhGtkZshlA.
ECDSA key fingerprint is MD5:0b:a1:ee:d2:75:92:1a:62:05:63:5e:d1:e8:42:13:84.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.1.7' (ECDSA) to the list of known hosts.
[email protected]'s password:
server.key 100% 1704 906.5KB/s 00:00
server.crt 100% 1411 1.0MB/s 00:00 4、配置LB01的Nginx配置文件
[root@LB01 ~]# cat /etc/nginx/conf.d/proxy_ssl.conf
upstream website {
server 172.16.1.8:80;
server 172.16.1.9:80;
}
server {
listen 443 ssl;
server_name ssl.koten.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://website;
proxy_set_header Host $http_host;
}
}
server {
listen 80;
server_name ssl.koten.com;
return 302 https://$server_name$request_uri;
}
[root@LB01 ~]# systemctl restart nginx5、浏览器访问
真实业务实现HTTPS证书
1、配置LB01中的wordpress和wecenter的配置
[root@LB01 ~]# cat /etc/nginx/conf.d/proxy_ssl.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
#用户的http请求跳转至https
server {
listen 80;
server_name blog.koten.com;
return 302 https://$server_name$request_uri;
}
server {
listen 80;
server_name wecenter.koten.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name blog.koten.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 443 ssl;
server_name wecenter.koten.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
[root@LB01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@LB01 ~]# nginx -s reload2、浏览器访问
发现均出现排版错误的情况,这是因为PHP对https不适配。
3、修正排版问题
需要在Web01和Web02的Wecenter和WordPress配置文件里添加如下配置,并重启Nginx
#告诉PHP我前置的负载使用的是https协议
fastcgi_param HTTPS on;
例如Web01的WordPress配置文件
[root@Web01 wecenter]# cat /etc/nginx/conf.d/wordpress.conf
server {
listen 80;
server_name blog.koten.com;
root /code/wordpress;
index index.php index.html index.htm;
location ~\.php$ {
root /code/wordpress;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
[root@Web01 wecenter]#
4、再次访问发现恢复
5、phpmyadmin配置文件与问题
[root@LB01 ~]# cat /etc/nginx/conf.d/proxy_php.conf
upstream web {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 80;
server_name php.koten.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name php.koten.com;
location / {
proxy_pass http://web;
include proxy_params;
}
}
[root@LB01 ~]# systemctl restart nginx
6、解决phpmyadmin问题
在Web01和Web02的phpmyadmin配置文件上增加如下配置:
fastcgi_param HTTPS on;恢复正常!
我是koten,10年运维经验,持续分享运维干货,感谢大家的阅读和关注!