nginx 之https

2.1Nginx单台实现HTTPS实战

nginx必须有ssl模块

[root@web01 ~]# nginx -V
--with-http_ssl_module

创建存放ssl证书的路径

[root@web01 ~]# mkdir -p /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key
2.2使用openssl命令充当CA权威机构创建证书（生产不使用此方式生成证书，不被互联网认可的黑户证书）

[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................+++
............................................+++
e is 65537 (0x10001)

密码暂时使用1234

Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@web01 ssl_key]# ls
server.key
2.3 生成自签证书，同时去掉私钥的密码

[root@web03 ssl_key]# openssl req -days 36500 -x509
-sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to 'server.key'

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.

Country Name (2 letter code) [XX]:chinese^HH
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:ch
State or Province Name (full name) []:cha^H[[A^[[B
Locality Name (eg, city) [Default City]:beijin
Organization Name (eg, company) [Default Company Ltd]:shiwei
Organizational Unit Name (eg, section) []:yunwei
Common Name (eg, your name or your server's hostname) []:haoda.com
Email Address []:123@qq.com

req --> 用于创建新的证书

new --> 表示创建的是新证书

x509 --> 表示定义证书的格式为标准格式

key --> 表示调用的私钥文件信息

out --> 表示输出证书文件信息

days --> 表示证书的有效期

2.4 证书申请完成后需要了解Nginx如何配置https

启动ssl功能

Syntax: ssl on | off;
Default: ssl off;
Context: http,server

证书文件

Syntax: ssl_certificate file;
Default: -
Context: http,server

私钥文件

Syntax: ssl_certificate_key fil;
Default: -
Context: http,server
2.5 Nginx配置https实例

[root@web01 conf.d]# cat ssl.conf
server {
listen 443 ssl;
server_name s.haoda.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /code;
index index.html;
}
}

配置将用户访问http请求强制跳转https

server {
listen 80;
server_name s.haoda.com;
return 302 https://$server_name$request_uri;
}

准备对应的站点目录，并重启Nginx

[root@web01 conf.d]# echo "123" > /code/index.html
[root@web01 conf.d]# nginx -s reload

3. Nginx集群实现HTTPS实践

实战Nginx负载均衡+Nginx WEB配置HTTPS安全

3.1 环境准备

主机名 外网IP(NAT) 内网IP(LAN) 角色
lb01 10.0.0.5 172.16.1.5 负载均衡
web02 10.0.0.8 172.16.1.8 web服务器
web03 10.0.0.9 172.16.1.9 web服务器
3.2 配置web02、web03服务器监听80端口

[root@web02 conf.d]# cat ssl.conf
server {
listen 80;
server_name s.haoda.com;

    location / {
            root /code;
            index index.html;
    }

}

web03配置相同

3.3 把证书直接拿到lb服务器

[root@lb01 conf.d]# cd ..
[root@lb01 nginx]# scp -rp 172.16.1.9:/etc/nginx/ssl_key ./
3.4 配置lb01的nginx配置

[root@lb01 conf.d]# cat proxy_ssl.conf
upstream website {
server 172.16.1.8:80;
server 172.16.1.9:80;
}

server {
listen 443 ssl;
server_name s.haoda.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://website;
proxy_set_header Host $http_host;
}
}

server {
listen 80;
server_name s.haoda.com;
return 302 https://$server_name$request_uri;
}
3.5 浏览器访问查看

4. 真实业务场景实现HTTPS实践

4.1 配置知乎、博客对应的负载均衡lb01服务器的配置

web01

[root@web01 conf.d]# vim ssl.conf

server {
listen 80;
server_name blog.drz.com;
location / {
root /code/wordpress;
index index.php index.html;
}
}

web02

[root@web02 conf.d]# cat ssl.conf
server {
listen 80 ;
server_name zh.drz.com;
location / {
root /code/zh;
index index.php index.html;
}
}

[root@lb01 nginx]# cat proxy_params
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;

proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;

[root@lb01 conf.d]# cat proxy_wp.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}

用户的http请求跳转至https

server {
listen 80;
server_name blog.drz.com;
return 302 https://$server_name$request_uri;
}

server {
listen 80;
server_name zh.drz.com;
return 302 https://$server_name$request_uri;
}

server {
listen 443;
server_name blog.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}

server {
listen 443;
server_name zh.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}

重启负载nginx

[root@lb01 conf.d]# nginx -s reload
4.2 浏览器查看效果

4.3 修正乱码效果，配置知乎、博客对应的web服务器的配置

负载访问使用的https后端web使用的是http，对于PHP来说他并不知道用的到底是什么所以会出现错误；

修正该问题配置

[root@web01 conf.d]# cat zh.conf
server {
listen 8866;
server_name zh.drz.com;
root /code/zh;
index index.php index.html;

    location ~ \.php$ {
            root /code/zh;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            #告诉PHP我前置的负载使用的是https协议
            fastcgi_param HTTPS on;
            include        fastcgi_params;
    }

}

[root@web02 conf.d]# cat wordpress.conf
server {
listen 80;
server_name blog.drz.com;
root /code/wordpress;
index index.php index.html;
client_max_body_size 100m;

    location ~ \.php$ {
            root /code/wordpress;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param HTTPS on;
            include fastcgi_params;
    }

}

重启两台nginx

[root@web01 conf.d]# nginx -s reload
[root@web02 conf.d]# nginx -s reload

[root@lb01 conf.d]# cat proxy_wp.conf
upstream blog {
server 172.16.1.7:8866;
server 172.16.1.8:80;
}

用户的http请求跳转至https

server {
listen 80;
server_name blog.drz.com;
return 302 https://$server_name$request_uri;
}

server {
listen 80;
server_name zh.drz.com;
return 302 https://$server_name$request_uri;
}

server {
listen 443;
server_name blog.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}

server {
listen 443;
server_name zh.drz.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
include proxy_params;
}
}

4.4 浏览器再次查看效果

wordpress早期安装如果是使用的http方式，那开启https后会导致图片出现破损或加载不全的情况

建议：1、在安装WordPress之前就配置好https；2、在WordPress后台管理页面，设置-->常规-->修改（WordPress地址及站点地址）为 https://3、注意：WordPress很多链接在安装时被写入数据库中。

4.5 配置PHPmyadmin负载均衡lb01服务器的配置

[root@lb01 conf.d]# cat proxy_php.conf
upstream php {
server 172.16.1.7:80;
server 172.16.1.8:80;
}

server {
listen 80;
server_name php.haoda.com;
return 302 https://$server_name$request_uri;
}

server {
listen 443;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name php.haoda.com;
location / {
proxy_pass http://php;
include proxy_params;
}
}
4.6 浏览器查看效果

4.7 配置PHPmyadmin的web服务器配置

[root@web01 conf.d]# cat php.conf
server {
listen 80;
server_name php.haoda.com;
root /code/phpMyAdmin-4.9.0.1-all-languages;

    location / {
            index index.php index.html;
    }

    location ~ \.php$ {
            fastcgi_pass 127.0.0.1:9000;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param HTTPS on;
            include fastcgi_params;
    }

}
4.8 浏览器再次查看效果