如何配置HTTPS

本地wordpress的HTTPS

1、自建证书

openssl由三部分组成：

libcrpto：通用加密库
libssl：TSL/SSL组成库，基于会话实现了身份认证，数据加密和会话完整性。
openssl：提供命令行工具，例如模拟创建证书，查看证书信息

1、安装openssl
yum  install  openssl openssl-devel -y
2、创建证书目录
mkdir /etc/nginx/ssl_key
3、进入目录
cd /etc/nginx/ssl_key
4、输入密码，创建私钥文件，至少4位
[root@web-7 /etc/nginx/ssl_key]#openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................+++
.............+++
e is 65537 (0x10001)
Enter pass phrase for server.key:afei11
Verifying - Enter pass phrase for server.key:afei11

填写证书文件
[root@web-7 /etc/nginx/ssl_key]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
............................................................................................................................+++
..................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:afeitt.cn
Organizational Unit Name (eg, section) []:afeitt.cn
Common Name (eg, your name or your server's hostname) []:afeitt.cn
Email Address []:1398787859@qq.com
分别填入证书的信息
国家
省份
城市
组织
部门
主机名
邮箱


查看公私钥和证书
[root@web-7 /etc/nginx/ssl_key]#ls
server.crt  server.key

2、设置nginx

[root@web-7 /etc/nginx/conf.d]#cat ssl.conf 
server {
    listen 80;
    server_name www.afeitt.cn;
    rewrite ^(.*) https://$server_name$1 redirect;
}

server{
    listen 443 ssl;
    server_name www.afeitt.cn;
  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;

  location / {
          root /www;
          index index.html;
  }
}

重启
[root@web-7 /etc/nginx/conf.d]#systemctl restart nginx

3、创建数据

mkdir -p /www


cat >/www/index.html <<EOF
<meta charset=utf8>
我是web-7的https
EOF

4、访问

部署web-8

1、证书发送
[root@web-7 /etc/nginx]#scp -r ssl_key 10.0.0.8:/etc/nginx/
2、配置文件发送
[root@web-7 /etc/nginx]#scp -r conf.d/ssl.conf 10.0.0.8:/etc/nginx/conf.d/
root@10.0.0.8's password: 
ssl.conf                                              100%  319   461.2KB/s   00:00 

3、8机器查看
[root@web-8 ~]#ls /etc/nginx/
conf.d          mime.types  nginx.conf   ssl_key
fastcgi_params  modules     scgi_params  uwsgi_params
[root@web-8 ~]#ls /etc/nginx/conf.d/
php.conf  ssl.conf  wecenter.conf  wordpress.conf


创建数据
mkdir  /www
cat >/www/index.html <<EOF
<meta charset=utf8>
我是web-8的https
EOF

重启
systemctl restart nginx

部署lb-5机器

发放统一的证书
[root@web-7 /etc/nginx]#scp -r ssl_key 10.0.0.5:/etc/nginx/

创建反向代理
[root@slb-5 /etc/nginx/conf.d]#cat ssl.conf 
upstream ssl_pools {
    server 172.16.1.7:443;
    server 172.16.1.8:443;
}

server {
    listen 80;
    server_name www.afeitt.cn;
    rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name www.afeitt.cn;

  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;
  
  location / {
            proxy_pass https://ssl_pools;
            include proxy_params.conf;
  }
}


重启
[root@lb-5 /etc/nginx]#systemctl restart nginx

lb负责https外网加密，后端web内网简化无须证书

lb-5机器

[root@slb-5 /etc/nginx/conf.d]#cat ssl.conf 
upstream ssl_pools {
    server 172.16.1.7;
    server 172.16.1.8;
}

server {
    listen 80;
    server_name www.afeitt.cn;
    rewrite ^(.*) https://$server_name$1 redirect;
}

server {
    listen 443 ssl;
    server_name www.afeitt.cn;

  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;
  
  location / {
            proxy_pass https://ssl_pools;
            include proxy_params.conf;
  }
}

重启
[root@slb-5 /etc/nginx/conf.d]#systemctl restart nginx

web-7

[root@web-7 /etc/nginx]#cat conf.d/ssl.conf 
server {
    listen 80;
    server_name www.afeitt.cn;

  location / {
          root /www;
          index index.html;
  }
}
[root@web-7 /etc/nginx]#systemctl restart nginx

web-8

[root@web-8 ~]#cat  /etc/nginx/conf.d/ssl.conf 
server {
    listen 80;
    server_name www.afeitt.cn;

  location / {
          root /www;
          index index.html;
  }
}
[root@web-8 ~]#systemctl restart nginx

访问

wordpress支持https

1、lb-5机器的部署

[root@slb-5 /etc/nginx/conf.d]#cat wordpress.conf 
upstream web-pools{
  server 172.16.1.7:80 weight=4;
  server 172.16.1.8:80 weight=1;

}

server{

  listen 80;
  server_name wordpress.afeitt.cn;
  rewrite ^(.*) https://$server_name$1 redirect;
}  


server {
  
  listen 443 ssl;
  server_name wordpress.afeitt.cn;

  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;

  location / {
    proxy_pass http://web-pools;
    include /etc/nginx/proxy_params.conf;

  }

}

[root@slb-5 /etc/nginx/conf.d]#systemctl restart nginx

web-7

[root@web-7 /etc/nginx]#cat conf.d/wordpress.conf 
server{
    listen 80;
    server_name wordpress.afeitt.cn;

    root /code/wordpress;
    index index.php index.html;

    location ~*  \.php$ {

        root /code/wordpress;
        fastcgi_index index.php;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }
}
[root@web-7 /etc/nginx]#systemctl restart nginx

web-8

[root@web-8 ~]#cat /etc/nginx/conf.d/wordpress.conf 
server{
    listen 80;
    server_name wordpress.afeitt.cn;

    root /code/wordpress;
    index index.php index.html;

    location ~*  \.php$ {

        root /code/wordpress;
        fastcgi_index index.php;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi_params;
    }
}
[root@web-8 ~]#systemctl restart nginx

测试访问