nginx:nginx配置https访问
随着web的发展,开发者对传输过程中的信息安全重视。
HTTPS可以通过SSL协议来保证信息传输过程中的数据安全,成为了一些敏感操作的必备选择。
什么是https
超文本传输安全协议(英语:Hypertext Transfer Protocol Secure,缩写:HTTPS,也被称为HTTP over TLS,HTTP over SSL或HTTP Secure)
是一种网络安全传输协议。在计算机网络上,HTTPS经由超文本传输协议进行通信,但利用SSL/TLS来对数据包进行加密。HTTPS开发的主要目的,是提供对网络服务器的身份认证,保护交换数据的隐私与完整性。
https证书的获取
由于可信的证书颁发机构只有那么几家,所以必须要从他们那里获取或者购买。我的https证书是从腾讯云那里免费获取的(网址:https://console.qcloud.com/ssl)。通过之后下载下来就可以了。试一试阿里云的也。
自己签发ssl证书
cd /etc/nginx
mkdir ssl
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /etc/nginx/ssl/nginx.key -out /etc/nginx/ssl/nginx.crt
输出内容为:
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名,拼音
Locality Name (eg, city) []:BeiJing ← 市的全名,拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 此时不输入
Email Address []:admin@mycompany.com ← 电子邮箱,公司的邮箱地址
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
在/etc/nginx/ssl 会存在nginx.crt 以及nginx.key 文件
实践:flask+nginx+https
在flask项目根目录下启动python app.py
(1)nginx http 80 端口正常配置
#http访问http://47.92.xxx.7/ server { listen 80; server_name localhost; client_max_body_size 2m; access_log /var/log/nginx/demo.access.log; error_log /var/log/nginx/demo.error.log; location /static { root /data/www/flask_helloworld; } location / { proxy_pass http://localhost:6000; } }
复杂点的80端口配置 server { listen 80; server_name localhost; client_max_body_size 2m; location /static { root /data/www/pro_base; } location /api/ { proxy_pass http://127.0.0.1:8000/; } location /api/admin/ { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { try_files $uri @probase; } location @probase { include uwsgi_params; uwsgi_pass unix:/tmp/probase.sock; } }
(2)nginx https 443 端口正常配置
server { listen 443 ssl; server_name demo.xxxx.com; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; server_tokens off; keepalive_timeout 70; access_log /var/log/nginx/demo.access.log; error_log /var/log/nginx/demo.error.log; location / { proxy_pass http://localhost:6000; } }
配置https访问,反向代理的是一简单的helloworld程序,
https访问http://47.92.xxx.7/,但是http不能访问,浏览器访问显示不安全:
Mac Google为例:设置->高级设置->https/ssl证书设置->打开下面这个东西,系统->文件->导入项目,然后导入证书
(3) 配置兼容http和https访问,只需要在访问https的基础上加一句 listen 80;
server { listen 80; listen 443 ssl; server_name demo.aifashion.com; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; server_tokens off; keepalive_timeout 70; access_log /var/log/nginx/demo.access.log; error_log /var/log/nginx/demo.error.log; location / { proxy_pass http://localhost:6000; } }
server { listen 80; listen 443 ssl; server_name demo.aifashion.com; client_max_body_size 2m; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; server_tokens off; keepalive_timeout 70; access_log /var/log/nginx/demo.access.log; error_log /var/log/nginx/demo.error.log; location /static { root /data/www/pro_base; } location /api/ { proxy_pass http://127.0.0.1:8000/; } location /api/admin/ { proxy_pass http://127.0.0.1:8080/; proxy_http_version 1.1; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location / { try_files $uri @probase; } location @probase { include uwsgi_params; uwsgi_pass unix:/tmp/probase.sock; } }
