本地wordpress的HTTPS
1、自建证书
openssl由三部分组成:
libcrpto:通用加密库
libssl:TSL/SSL组成库,基于会话实现了身份认证,数据加密和会话完整性。
openssl:提供命令行工具,例如模拟创建证书,查看证书信息
1、安装openssl
yum install openssl openssl-devel -y
2、创建证书目录
mkdir /etc/nginx/ssl_key
3、进入目录
cd /etc/nginx/ssl_key
4、输入密码,创建私钥文件,至少4位
[root@web-7 /etc/nginx/ssl_key]#openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:afei11
Verifying - Enter pass phrase for server.key:afei11
填写证书文件
[root@web-7 /etc/nginx/ssl_key]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
............................................................................................................................+++
..................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:afeitt.cn
Organizational Unit Name (eg, section) []:afeitt.cn
Common Name (eg, your name or your server's hostname) []:afeitt.cn
Email Address []:1398787859@qq.com
分别填入证书的信息
国家
省份
城市
组织
部门
主机名
邮箱
查看公私钥和证书
[root@web-7 /etc/nginx/ssl_key]#ls
server.crt server.key
2、设置nginx
[root@web-7 /etc/nginx/conf.d]#cat ssl.conf
server {
listen 80;
server_name www.afeitt.cn;
rewrite ^(.*) https://$server_name$1 redirect;
}
server{
listen 443 ssl;
server_name www.afeitt.cn;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /www;
index index.html;
}
}
重启
[root@web-7 /etc/nginx/conf.d]#systemctl restart nginx
3、创建数据
mkdir -p /www
cat >/www/index.html <<EOF
<meta charset=utf8>
我是web-7的https
EOF
4、访问
部署web-8
1、证书发送
[root@web-7 /etc/nginx]#scp -r ssl_key 10.0.0.8:/etc/nginx/
2、配置文件发送
[root@web-7 /etc/nginx]#scp -r conf.d/ssl.conf 10.0.0.8:/etc/nginx/conf.d/
root@10.0.0.8's password:
ssl.conf 100% 319 461.2KB/s 00:00
3、8机器查看
[root@web-8 ~]#ls /etc/nginx/
conf.d mime.types nginx.conf ssl_key
fastcgi_params modules scgi_params uwsgi_params
[root@web-8 ~]#ls /etc/nginx/conf.d/
php.conf ssl.conf wecenter.conf wordpress.conf
创建数据
mkdir /www
cat >/www/index.html <<EOF
<meta charset=utf8>
我是web-8的https
EOF
重启
systemctl restart nginx
部署lb-5机器
发放统一的证书
[root@web-7 /etc/nginx]#scp -r ssl_key 10.0.0.5:/etc/nginx/
创建反向代理
[root@slb-5 /etc/nginx/conf.d]#cat ssl.conf
upstream ssl_pools {
server 172.16.1.7:443;
server 172.16.1.8:443;
}
server {
listen 80;
server_name www.afeitt.cn;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name www.afeitt.cn;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://ssl_pools;
include proxy_params.conf;
}
}
重启
[root@lb-5 /etc/nginx]#systemctl restart nginx
lb负责https外网加密,后端web内网简化无须证书
lb-5机器
[root@slb-5 /etc/nginx/conf.d]#cat ssl.conf
upstream ssl_pools {
server 172.16.1.7;
server 172.16.1.8;
}
server {
listen 80;
server_name www.afeitt.cn;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name www.afeitt.cn;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://ssl_pools;
include proxy_params.conf;
}
}
重启
[root@slb-5 /etc/nginx/conf.d]#systemctl restart nginx
web-7
[root@web-7 /etc/nginx]#cat conf.d/ssl.conf
server {
listen 80;
server_name www.afeitt.cn;
location / {
root /www;
index index.html;
}
}
[root@web-7 /etc/nginx]#systemctl restart nginx
web-8
[root@web-8 ~]#cat /etc/nginx/conf.d/ssl.conf
server {
listen 80;
server_name www.afeitt.cn;
location / {
root /www;
index index.html;
}
}
[root@web-8 ~]#systemctl restart nginx
访问
wordpress支持https
1、lb-5机器的部署
[root@slb-5 /etc/nginx/conf.d]#cat wordpress.conf
upstream web-pools{
server 172.16.1.7:80 weight=4;
server 172.16.1.8:80 weight=1;
}
server{
listen 80;
server_name wordpress.afeitt.cn;
rewrite ^(.*) https://$server_name$1 redirect;
}
server {
listen 443 ssl;
server_name wordpress.afeitt.cn;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://web-pools;
include /etc/nginx/proxy_params.conf;
}
}
[root@slb-5 /etc/nginx/conf.d]#systemctl restart nginx
web-7
[root@web-7 /etc/nginx]#cat conf.d/wordpress.conf
server{
listen 80;
server_name wordpress.afeitt.cn;
root /code/wordpress;
index index.php index.html;
location ~* \.php$ {
root /code/wordpress;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}
[root@web-7 /etc/nginx]#systemctl restart nginx
web-8
[root@web-8 ~]#cat /etc/nginx/conf.d/wordpress.conf
server{
listen 80;
server_name wordpress.afeitt.cn;
root /code/wordpress;
index index.php index.html;
location ~* \.php$ {
root /code/wordpress;
fastcgi_index index.php;
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include /etc/nginx/fastcgi_params;
}
}
[root@web-8 ~]#systemctl restart nginx
测试访问
