Nginx【https配置】

为什么要使用https

  • 1、因为http采用的时明文传输,敏感数据(账号、密码、交易信息)不安全。容易遭到篡改
  • 2、https采用的是超文本传输协议,数据在传输时会加密,能够避免信息泄露

TLS和SSL是如何将数据加密的(他们运行在应用层和传输层之间)

  • 1、提供数据安全(不被泄露)
  • 2、提供数据完整性(不被篡改)
  • 3、对应用层交给传输层的数据进行加密与解密

 https加密模型

  • 对称加密(使用相同的密钥对)
  • 非对称加密(一对密钥-公钥、私钥)
  • CA机构(CA颁发公钥、私钥,由CA验证身份信息)

https类型

  • dv:个人使用、免费
  • ov:企业使用、中型公司
  • ev:增强型证书(政府、银行)
  • 单域名型证书:只能保护一个域名
  • 多域名型证书:能够保护多个域名
  • 通配符型证书:*.test.org

 单台实现https配置

申请证书【模拟】

[root@nginx conf.d]# mkdir -p /etc/nginx/ssl_key
[root@nginx conf.d]# cd /etc/nginx/ssl_key/
  • 使用openssl生成证书:生产中不使用此方法,黑户,不被互联网认可
[root@nginx ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
....+++
e is 65537 (0x10001)

## 我这里填的密码:1234      

Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
  • 生成自签证书,同时去掉私钥密码
[root@nginx ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
............................................+++
................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WH
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:edu
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:www.test.org
Email Address []:[email protected] 
              
[root@nginx ssl_key]# ls
server.crt  server.key
  • 将证书配置到nginx中
[root@nginx conf.d]# vim CA.conf
server {
  listen 443 ssl;
  server_name www.test.org;
  root /code/CA;
    ssl_protocols       TLSv1.1 TLSv1.2;
    ssl_certificate     ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
  location / {
    index index.html;
  }
}
server {
  listen 80;
  server_name www.test.org;
  return 302 https://$http_host$request_uri;
}

 集群配置https

LB

192.168.200.120

web-01

192.168.200.121

web-02

192.168.200.122

 先配置后端web-01、web-02

[root@nginx conf.d]# vim CA.conf
server {
  listen 80;
  server_name www.test.org;
  root /code/CA;
  location / {
    index index.html;
  }
  location ~ \.php$ {
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      fastcgi_param HTTPS on;
      include fastcgi_params;       
  }
}

LB配置https

  • 生成证书
mkdir -p /etc/nginx/ssl_key
cd /etc/nginx/ssl_key/
openssl genrsa -idea -out server.key 2048
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
  • nginx配置
[root@nginx conf.d]# vim test.conf 
  
upstream ca {
  server 192.168.200.121:80;
  server 192.168.200.122:80;
}
server {
  listen 443 ssl;
  server_name www.test.org;
    charset utf-8;
    default_type text/html;
      ssl_protocols       TLSv1.1 TLSv1.2;
      ssl_certificate     ssl_key/server.crt;
      ssl_certificate_key ssl_key/server.key;
    location / {
      proxy_pass http://ca;
      proxy_set_header Host $http_host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }
}
server {
  listen 80;
  server_name www.test.org;
  return 302 https://$http_host$request_uri;
}

https的使用场景

  • 1、网站主页(没有信息传递,可以不使用https)
  • 2、登录页面(有信息传递使用https)
servre {
    listen 80;
    server_name www.test.org;
    root /code/test;
    location / {
        index index.html;    
    }
    location /login {
        return 302 https://start.test.org;    
    }
}
server {
  listen 443 ssl;
  server_name start.test.org;
    charset utf-8;
    default_type text/html;
      ssl_protocols       TLSv1.1 TLSv1.2;
      ssl_certificate     ssl_key/server.crt;
      ssl_certificate_key ssl_key/server.key;
    location / {
      index index.html;
  }
}

你可能感兴趣的:(Nginx-New,https,网络协议,http)