（十二）、HTTPS部署

中小型规模网站集群架构:https

： Ago linux运维群：https://hankbook.cn

---

前言：此篇博客参考

http://www.xuliangwei.com/xubusi/337.html

1.查看nginx是否安装SSL模块

/application/nginx/sbin/nginx -V
[root@web01 ~]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.10.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC) 
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --user=www --group=www --prefix=/application/nginx-1.10.2 --with-http_stub_status_module **--with-http_ssl_module**

2.准备私钥和证书

2.1准备私钥

[root@web01 ~]#  cd /application/nginx/conf/
[root@web01 conf]# mkdir key
[root@web01 conf]# cd key/
[root@web01 key]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
................++++++
........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

2.2签发证书

[root@web01 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:Aige   
Email Address []:Aige@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

2.3删除服务器私钥口令

[root@web01 key]#  cp server.key server.key.ori
[root@web01 key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key

2.4生成使用签名请求证书和私钥生成自签证书

[root@web01 key]#  openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=Aige/emailAddress=Aige@163.com
Getting Private key

3.开启Nginx SSL

[root@web01 key]# cat /application/nginx/conf/extra/www.conf 
    server {
        listen       443;
        ssl on;
        ssl_certificate key/server.crt;
        ssl_certificate_key key/server.key;
        server_name  www.etiantian.org;
            root   html/www;
            index  index.php index.html index.htm;
        location ~ .*\.(php|php5)?$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            include       fastcgi.conf;
        }
    access_log  logs/access.log  main;
    }

4.重启服务

[root@web01 key]# /application/nginx/sbin/nginx -t
nginx: the configuration file /application/nginx-1.10.2/conf/nginx.conf syntax is ok
nginx: configuration file /application/nginx-1.10.2/conf/nginx.conf test is successful
[root@web01 key]# /application/nginx/sbin/nginx -s reload
[root@web01 key]# lsof -i:443
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   25253 root   10u  IPv4  68385      0t0  TCP *:https (LISTEN)
nginx   42603  www   10u  IPv4  68385      0t0  TCP *:https (LISTEN)

4.1测试

4.2配置重定向80端口转443端口
以上配置有个不好的地方，如果用户使用时忘了使用https或者443端口，那么将会报错，所以我们需要80端口的访问转到443端口并使用ssl加密访问。

只需要增加一个server段，使用301永久重定向。

[root@web-node1 ~]# tail -5 /application/nginx/conf/vhosts/www.conf

server {

listen 80;

server_name blog.etiantian.com;

rewrite ^(.*) https://$server_name$1 permanent;

}