• Nginx 配置https 服务


    一、HTTPS 服务

    为什么需要HTTPS?
    原因:HTTP不安全
        1、传输数据被中间人盗用、信息泄露
        2、数据内容劫持、篡改
    
    HTTPS协议的实现
        对传输内容进行加密以及身份验证
    
    HTTPS加密校验方式
        非对称加密+对称加密
        CA签名证书
    

    二、生成秘钥和CA证书

    生产环境上可以直接从第三方机构获取CA证书,跳过这一步。

    #检查是否安装openssl
    openssl version
    

    步骤一:生成key秘钥

    #在/etc/nginx 目录下新建 ssl_key 目录
    [root@sam ~]# mkdir /etc/nginx/ssl_key
    [root@sam ~]# cd /etc/nginx/ssl_key
    
    #新建key文件,并输入密码
    [root@sam ssl_key]# openssl genrsa -idea -out sam.key 1024
    Generating RSA private key, 1024 bit long modulus
    ....................................++++++
    ...................++++++
    e is 65537 (0x10001)
    Enter pass phrase for sam.key:
    Verifying - Enter pass phrase for sam.key:
    
    

    步骤二:生成证书签名请求文件(csr文件)

    [root@sam ssl_key]# openssl req -new -key sam.key -out sam.csr
    Enter pass phrase for sam.key:
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:guangdong
    Locality Name (eg, city) [Default City]:guangzhou
    Organization Name (eg, company) [Default Company Ltd]:sam
    Organizational Unit Name (eg, section) []:sam
    Common Name (eg, your name or your server's hostname) []:sam
    Email Address []:xxx@sam.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:sam
    
    [root@sam ssl_key]# ls
    sam.csr  sam.key
    
    

    步骤三:生成证书签名文件(CA证书) 或 从第三方机构获取

    [root@sam ssl_key]# openssl x509 -req -days 3650 -in sam.csr -signkey sam.key -out sam.crt
    [root@sam ssl_key]# ls
    sam.crt  sam.csr  sam.key
    

    三、Nginx配置HTTPS

    #配置语法
    
    语法:ssl on|off;
    默认值:ssl off;
    上下文:http,server
    
    语法:ssl_certificate file;
    默认值:无
    上下文:http,server
    
    语法:ssl_certificate_key file;
    默认值:无
    上下文:http,server
    
    

    配置用例

    server {
        listen  443;    #https 监听端口为443
        server_name www.sam.com;
        
        ssl on;
        ssl_certificate /etc/nginx/ssl_key/sam.crt;
        ssl_certificate_key /etc/nginx/ssl_key/sam.key;
        
        location / {
            root /opt/site/sam;
            index index.html index.htm;
        }
    }
    

    如果使用自签的证书,在重启nginx的时候会提示输入key的密码,输入生成key时配置的密码即可。

    生产环境中,一般通过第三方机构获取CA证书进行配置。

    如从阿里云获取CA证书:
    https://www.aliyun.com/product/cas?spm=5176.8142029.388261.255.23896dfadI4OJq
    

    升级openssl 到 1.0.2

    wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
    tar -zxvf openssl-1.0.2k.tar.gz
    cd openssl-1.0.2k
    ./config --prefix=/usr/local/openssl
    make && make install
    mv /usr/bin/openssl /usr/bin/openssl.OFF
    mv /usr/include/openssl /usr/include/openssl.OFF
    ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
    ln -s /usr/local/openssl/include/openssl /usr/include/openssl
    echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
    ldconfig -v
    openssl version -a
    
    
  • 相关阅读:
    Git报错:remote: HTTP Basic: Access denied的解决方法
    扩展模块之ConfigParser模块
    pyftplib
    kafka
    Android MarqueeTextView : 轻松实现文本滚动(跑马灯)效果
    nx
    ScorpionX-RX-64
    SDWebImage源码解读
    iOS 性能优化及AFNetworking源码解析
    vue使用g6做流程图
  • 原文地址:https://www.cnblogs.com/magicalSam/p/7473026.html
Copyright © 2020-2023  润新知