• 部署自建CA颁发证书实现https加密


    理论忽略:百度上很多

    需求:自建证书并实现域名的https加密

    部署:

    在linux机器上执行以下命令生成私钥

    mkdir -p /opt/ssl-cert

    cd  /opt/ssl-cert

    1.#openssl genrsa -out server.key 2048

    在linux机器上执行以下命令生成csr文件

    2.#openssl req -new -key server.key -out server.csr

    以下黑色标识文字仅供参考,请根据商户自己实际情况进行填写

    Country Name: CN                      //您所在国家的ISO标准代号,中国为CN

    State or Province Name:tianjin       //您单位所在地省/自治区/直辖市

    Locality Name:tianjin                 //您单位所在地的市/县/区

    Organization Name: esgcc                //您单位/机构/企业合法的名称 

    Organizational Unit Name: yunwei         //部门名称 

    Common Name: 172.16.66.151     //通用名,例如:www.itrus.com.cn。此项必须与您访问提供SSL服务的服务器时所应用的域名完全匹配或者直接写nginx前端的IP地址

    Email Address: 493630393@qq.com                         //您的邮件地址,不必输入,直接回车跳过

    "extra"attributes                        //以下信息不必输入,回车跳过直到命令执行完毕。

    执行上面的命令后,在当前目录下即可生成私钥文件server.key和server.csr csr文件

    3.备份一份服务器密钥文件

    cp server.key server.key.org
    4.去除文件口令
    openssl rsa -in server.key.org -out server.key
    5.生成证书文件server.crt
    openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

    二、HTTPS服务器配置

    mkdir -p /opt/nginx/ssl

    cp -r server.crt  server.key  /opt/nginx/ssl

    1、 Nginx配置

    user www www;

    worker_processes auto;

    error_log /opt/nginx/logs/nginx_error.log crit;

    pid /opt/nginx/logs/nginx.pid;

    worker_rlimit_nofile 51200;

    events
    {
    use epoll;
    worker_connections 51200;
    multi_accept on;
    }

    http
    {
    include mime.types;
    default_type application/octet-stream;

    server_names_hash_bucket_size 128;
    client_header_buffer_size 64k;
    large_client_header_buffers 4 32k;
    client_max_body_size 500M;

    sendfile on;
    tcp_nopush on;

    keepalive_timeout 300;
    #proxy超时时间
    proxy_connect_timeout 300;
    proxy_send_timeout 300;
    proxy_read_timeout 300;

    tcp_nodelay on;

    fastcgi_connect_timeout 300;
    fastcgi_send_timeout 300;
    fastcgi_read_timeout 300;
    fastcgi_buffer_size 64k;
    fastcgi_buffers 4 64k;
    fastcgi_busy_buffers_size 128k;
    fastcgi_temp_file_write_size 256k;
    #缓存配置
    proxy_cache_key '$host:$server_port$request_uri';
    proxy_temp_file_write_size 512k;
    proxy_temp_path /opt/dev/shm/JieLiERP/proxy_temp_path;
    proxy_cache_path /opt/dev/shm/JieLiERP/proxy_cache_path levels=1:2 keys_zone=cache_one:200m inactive=5d max_size=1g;
    proxy_ignore_headers X-Accel-Expires Expires Cache-Control Set-Cookie;
    #缓存配置结束
    gzip on;
    gzip_min_length 1k;
    gzip_buffers 4 16k;
    gzip_http_version 1.1;
    gzip_comp_level 2;
    gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
    gzip_vary on;
    gzip_proxied expired no-cache no-store private auth;
    gzip_disable "MSIE [1-6].";

    proxy_buffer_size 128k;
    proxy_buffers 32 128k;
    proxy_busy_buffers_size 128k;

    #limit_conn_zone $binary_remote_addr zone=perip:10m;
    ##If enable limit_conn_zone,add "limit_conn perip 10;" to server section.

    server_tokens off;
    access_log off;

    include vhost/*.conf;
    }

    2.ssl.conf

    ssl on;  #开启 还有证书的路径
       	ssl_certificate       /opt/nginx/ssl/server.crt;
            ssl_certificate_key   /opt/nginx/ssl/server.key;
    
            ssl_session_cache  builtin:1000  shared:SSL:10m;
            ssl_session_timeout 10m;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2 sslv3;
    	ssl_ciphers "ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:DES-CBC3-SHA:RC4-MD5:AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:RC4-SHA:IDEA-CBC-MD5:IDEA-CBC-SHA:AES128-SHA:DHE-DSS-AES128-SHA:DHE-RSA-AES128-SHA:DES-CBC3-MD5:E5-CBC3-MD5:EXP-RC4-MD5:DES-CBC-SHA:EDH-DSS-DES-CBC-SHA:EDH-RSA-DES-CBC-SHA:+HIGH:-MEDIUM:-LOW:-EXPORT:-aNULL:-eNULL";
    	ssl_prefer_server_ciphers on;
    

      

    3.proxy.conf

    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;

     vhost配置文件

    server
    {
    	listen		443;
    	server_name	wwww.aaa.com;
    	access_log  /opt/nginx/logs/del_tm.access.log;
    	error_log   /opt/nginx/logs/del_tm.error.log;
    	include ssl.conf;
    	#脱敏测试
    	location ^~ /boss-tm   {
                    include proxy.conf;
                    proxy_pass http://172.16.2.162:8100;
            }
    	location ^~ /third-tm   {
                    include proxy.conf;
                    proxy_pass http://172.16.2.162:8100;
            }
    	location ^~ /platform-tm   {
                    include proxy.conf;
                    proxy_pass http://172.16.2.162:19017/;
            }
    	location ^~ /sec_upload   {
                    include proxy.conf;
                    proxy_pass http://172.16.2.162:8100;
            }
    }
    

      

  • 相关阅读:
    Django之forms.Form
    Django之Middleware中间件方法使用
    Django之请求生命周期
    Django操作session实例
    Django操作cookie实例
    Django操作session
    Django操作cookie
    Django之cookie与session
    Django之AJAX传输JSON数据
    Django之JSON数据格式
  • 原文地址:https://www.cnblogs.com/python-cat/p/10565193.html
Copyright © 2020-2023  润新知