11 实现单台和全站HTTPS
单台HTTPS配置
1.检查nginx
[root@web01 ~]# nginx -V
--with-http_ssl_module
2.创建证书存放目录
[root@web02 ~]# mkdir /etc/nginx/ssl_key
[root@web02 nginx]# cd /etc/nginx/ssl_key
3.造假证书
1)生成私钥
#使用openssl命令充当CA权威机构创建证书(生产不使用此方式生成证书,不被互联网认可的黑户证书)
[root@web02 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............+++
....+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
2)生成公钥
#生成自签证书(公钥),同时去掉私钥的密码
[root@web02 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................................+++
............+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:china
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:meiguo
Locality Name (eg, city) [Default City]:riben
Organization Name (eg, company) [Default Company Ltd]:heishoudang
Organizational Unit Name (eg, section) []:oldboy
Common Name (eg, your name or your server's hostname) []:oldboy
Email Address []:123@qq.com
# req --> 用于创建新的证书
# new --> 表示创建的是新证书
# x509 --> 表示定义证书的格式为标准格式
# key --> 表示调用的私钥文件信息
# out --> 表示输出证书文件信息
# days --> 表示证书的有效期
# sha256 --> 加密方式
3)查看生成的证书
[root@web02 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1220 Nov 1 17:31 server.crt
-rw-r--r-- 1 root root 1704 Nov 1 17:31 server.key
4.配置证书语法
#1.开启证书
Syntax: ssl on | off;
Default: ssl off;
Context: http, server
#2.指定证书文件
Syntax: ssl_certificate file;
Default: —
Context: http, server
#3.指定私钥文件
Syntax: ssl_certificate_key file;
Default: —
Context: http, server
5.配置nginx证书
[root@web02 nginx]# cd /etc/nginx/conf.d
[root@web02 conf.d]# vim game.conf
server {
server_name game.test.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /usr/share/nginx/html5-mario;
index index.html;
}
}
[root@web02 nginx]# nginx-t
[root@web02 nginx]# systemctl restart nginx
浏览器访问:https://192.168.15.8 (注意:必须加https://,出现下面的页面点高级)
6.配置hosts访问
192.168.15.8 game.test.com
测试:https://game.test.com
实现全站HTTPS(实际就是负载均衡实现HTTPS)
lb01服务器配置
1.创建证书存放目录
[root@lb01 nginx]# mkdir ssl_key
[root@lb01 nginx]# cd ssl_key/
2.生成私钥
[root@lb01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.....+++
.+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
....................................................................................+++
writing new private key to 'server.key'
3.生成公钥
[root@lb01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
....................+++
....................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:国家名字
State or Province Name (full name) []:省份
Locality Name (eg, city) [Default City]:市区
Organization Name (eg, company) [Default Company Ltd]:组织名
Organizational Unit Name (eg, section) []:组织别名
Common Name (eg, your name or your server's hostname) []:主机名
Email Address []:邮箱
4.#查看
[root@lb01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1367 Nov 1 19:37 server.crt
-rw-r--r-- 1 root root 1708 Nov 1 19:37 server.key
5.配置nginx证书
[root@lb01 conf.d]# vim /etc/nginx/conf.d/game.conf
upstream game {
server 172.16.1.8:80;
server 172.16.1.7:80;
server 172.16.1.9:80;
}
server{
server_name game.test.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://game;
include proxy_params;
}
}
6. 测试并重启nginx
[root@lb01 conf.d]# nginx -t
[root@lb01 conf.d]# systemctl restart nginx
3.web02服务器配置
注意:web服务器配置
[root@web02 conf.d]# vim /etc/nginx/conf.d/game.conf
server {
server_name game.test.com;
listen 80;
# ssl_certificate /etc/nginx/ssl_key/server.crt;
# ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
root /usr/share/nginx/html5-mario;
index index.html;
}
}
重启nginx
[root@web02 conf.d]# systemctl restart nginx
最后测试:
https://192.168.15.5/demo.html
实现https自动跳转
当我们在浏览器输入http时,我们希望自动跳转到https
lb01配置
[root@lb01 conf.d]# vim /etc/nginx/conf.d/game.conf
upstream game {
server 172.16.1.8:80;
server 172.16.1.7:80;
server 172.16.1.9:80; }
server {
listen 80;
server_name game.test.com;
return 302 https://game.test.com;}
server{
server_name game.test.com;
listen 443 ssl;
ssl_certificate /etc/nginx/ssl_key/server.crt;
ssl_certificate_key /etc/nginx/ssl_key/server.key;
location / {
proxy_pass http://game;
include proxy_params;
}
}
重新启动nginx
[root@lb01 conf.d]# systemctl restart nginx
修改windows的hosts文件并测试
192.168.15.5 game.test.com
测试 输入http://192.168.15.5自动跳转到https://game.test.com
