Nginx实战配置https

一、nginx实战配置https

1.获取证书(阿里云申请、自建)

1.可以去阿里云申请免费单域名证书,下载使用
部署文档
https://help.aliyun.com/document_detail/98728.html?spm=5176.b657008.help.dexternal.7b14799daFqyjG


2.自己创建私有证书,内网环境下使用。

2.自建证书

openssl由三部分组成:

  • libcrpto:通用加密库
  • libssl:TSL/SSL组成库,基于会话实现了身份认证,数据加密和会话完整性。
  • openssl:提供命令行工具,例如模拟创建证书,查看证书信息
注意先安装openssl
[root@web-7 /etc/nginx/ssl_key]#yum install openssl openssl-devel -y

创建证书目录
[root@web-7 ~]#mkdir /etc/nginx/ssl_key
[root@web-7 ~]#cd /etc/nginx/ssl_key/

至少输入4位密码,创建私钥文件
[root@web-7 /etc/nginx/ssl_key]#openssl genrsa -idea -out server.key 2048


# 创建证书文件,x509类型证书,期限是100半年
[root@web-7 /etc/nginx/ssl_key]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.................+++
....................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:yuchaoit.cn
Organizational Unit Name (eg, section) []:yuchaoit.cn
Common Name (eg, your name or your server's hostname) []:yuchaoit.cn
Email Address []:yc_uuu@163.com


分别填入证书的信息
国家
省份
城市
组织
部门
主机名
邮箱


检查私钥和证书
[root@web-7 /etc/nginx/ssl_key]#ls
server.crt  server.key

3.设置nginx

nginx.conf主配置文件

user  nginx;
worker_processes  auto;

error_log  /var/log/nginx/error.log notice;
pid        /var/run/nginx.pid;


events {
 worker_connections  1024;
}


http {
 include       /etc/nginx/mime.types;
 default_type  application/octet-stream;

 log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                   '$status $body_bytes_sent "$http_referer" '
                   '"$http_user_agent" "$http_x_forwarded_for"';

 access_log  /var/log/nginx/access.log  main;

 sendfile        on;
 #tcp_nopush     on;

 keepalive_timeout  65;

 #gzip  on;

 include /etc/nginx/conf.d/*.conf;
}

ssl.conf 自动跳转https设置

server {
 listen 80;
 server_name www.yuchaoit.cn;
 rewrite ^(.*) https://$server_name$1 redirect;
}

server{
 listen 443 ssl;
 server_name www.yuchaoit.cn;
 ssl_certificate ssl_key/server.crt;
 ssl_certificate_key ssl_key/server.key;

location / {
       root /www;
       index index.html;
}
}

4.启动nginx(https)

本地解析
10.0.0.7 www.yuchaoit.cn

# 创建测试数据
mkdir -p /www

cat >/www/index.html <<EOF
<meta charset=utf8>
超哥带你学nginx https ,我是web-7机器
EOF

systemctl restart nginx

自建证书不被浏览器信任,但是可以使用了

二、nginx集群配置https(web-7,web-8)

情况1,全站https通信

image

1.部署web-8

# 证书发送
[root@web-7 /etc/nginx/conf.d]#cd /etc/nginx/
[root@web-7 /etc/nginx]#ls
conf.d  fastcgi_params  mime.types  modules  nginx.conf  scgi_params  ssl_key  uwsgi_params
[root@web-7 /etc/nginx]#
[root@web-7 /etc/nginx]#scp -r ssl_key 10.0.0.8:/etc/nginx/

# 配置文件发送
[root@web-7 /etc/nginx]#scp -r conf.d/ssl.conf 10.0.0.8:/etc/nginx/conf.d/


# 网页文件创建
mkdir -p /www

cat >/www/index.html <<EOF
<meta charset=utf8>
超哥带你学nginx https ,我是web-8机器
EOF


systemctl restart nginx

2.部署lb机器

# 获取统一的证书
scp -r ssl_key 10.0.0.5:/etc/nginx/

# 创建反向代理配置文件
upstream ssl_pools {
 server 172.16.1.7:443;
 server 172.16.1.8:443;
}

# 80虚拟主机,目的是为了匹配http请求的80端口,强制转发给https的443端口
server {
 listen 80;
 server_name www.yuchaoit.cn;
 rewrite ^(.*) https://$server_name$1 redirect;
}

server {
 # 注意端口号,协议;
 listen 443 ssl;
 server_name www.yuchaoit.cn;

ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
# 反向代理
location / {
         proxy_pass https://ssl_pools;
         include proxy_params;
}
}


# 反向代理参数文件
# cat proxy_params 
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffering on;
proxy_buffer_size 32k;
proxy_buffers 4 128k;


# 检测语法,重启
[root@lb-5 /etc/nginx]#nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb-5 /etc/nginx]#systemctl restart nginx

客户端做好dns解析
10.0.0.5 www.yuchaoit.cn

情况2:lb负责https外网加密,后端web内网简化无须证书

1.部署lb机器

[root@lb-5 /etc/nginx/conf.d]#vim ssl.conf 
upstream ssl_pools {
 server 172.16.1.7;
 server 172.16.1.8;
}

# 80虚拟主机,目的是为了匹配http请求的80端口,强制转发给https的443端口
server {
 listen 80;
 server_name www.yuchaoit.cn;
 rewrite ^(.*) https://$server_name$1 redirect;
}

server {
 listen 443 ssl;
 server_name www.yuchaoit.cn;
 ssl_certificate ssl_key/server.crt;
 ssl_certificate_key ssl_key/server.key;
 # 反向代理
 location / {
         proxy_pass http://ssl_pools;
         include proxy_params;
 }
}

2.部署web机器组7,8

image

[root@web-7 /etc/nginx]#cat conf.d/ssl.conf 
server {
 listen 80;
 server_name www.yuchaoit.cn;
location / {
             root /www;
             index index.html;
}
}

# 重启
systemctl restart nginx

[root@web-8 /etc/nginx/conf.d]#cat ssl.conf 
server {
 listen 80;
 server_name www.yuchaoit.cn;
location / {
             root /www;
             index index.html;
}
}

# 重启
systemctl restart nginx

三、wordpress支持https

image

需要开启fastcgi转发参数,支持https

1.lb服务器设置

[root@lb-5 /etc/nginx/conf.d]#cat wordpress.conf 
upstream wordpress_pools {
 server 172.16.1.7;
 server 172.16.1.8;
}

# 80虚拟主机,目的是为了匹配http请求的80端口,强制转发给https的443端口
server {
 listen 80;
 server_name wordpress.yuchaoit.cn;
 rewrite ^(.*) https://$server_name$1 redirect;
}

server {

 listen 443 ssl;
 server_name wordpress.yuchaoit.cn;

ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
# 反向代理
location / {
         proxy_pass http://wordpress_pools;
         include proxy_params;
}
}

2.web机器组

两台web机器都要设置代理参数,让nginx+php的代理参数,支持https。

fastcgi_params参数(两台机器)

[root@web-8 /etc/nginx]#
[root@web-8 /etc/nginx]#cat fastcgi_params 

fastcgi_param  QUERY_STRING       $query_string;
fastcgi_param  REQUEST_METHOD     $request_method;
fastcgi_param  CONTENT_TYPE       $content_type;
fastcgi_param  CONTENT_LENGTH     $content_length;

fastcgi_param  SCRIPT_NAME        $fastcgi_script_name;
fastcgi_param  REQUEST_URI        $request_uri;
fastcgi_param  DOCUMENT_URI       $document_uri;
fastcgi_param  DOCUMENT_ROOT      $document_root;
fastcgi_param  SERVER_PROTOCOL    $server_protocol;
fastcgi_param  REQUEST_SCHEME     $scheme;
fastcgi_param  HTTPS              $https if_not_empty;

fastcgi_param  GATEWAY_INTERFACE  CGI/1.1;
fastcgi_param  SERVER_SOFTWARE    nginx/$nginx_version;

fastcgi_param  REMOTE_ADDR        $remote_addr;
fastcgi_param  REMOTE_PORT        $remote_port;
fastcgi_param  SERVER_ADDR        $server_addr;
fastcgi_param  SERVER_PORT        $server_port;
fastcgi_param  SERVER_NAME        $server_name;

# PHP only, required if PHP was built with --enable-force-cgi-redirect
fastcgi_param  REDIRECT_STATUS    200;

# enable https
fastcgi_param HTTPS on;

nginx配置文件设置(wordpress,两台机器)

[root@web-8 /etc/nginx/conf.d]#ls
ssl.conf.bak  wordpress.conf
[root@web-8 /etc/nginx/conf.d]#
[root@web-8 /etc/nginx/conf.d]#cat wordpress.conf 
server {
 listen 80;
 server_name wordpress.yuchaoit.cn;
 root /code/wordpress/;
 index index.php index.html;

 location ~ \.php$ {

     root /code/wordpress;
     fastcgi_pass 127.0.0.1:9000;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     include fastcgi_params;
 }

}

[root@web-8 /etc/nginx/conf.d]#nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@web-8 /etc/nginx/conf.d]#systemctl restart nginx

systemctl restart php-fpm

3.测试访问lb入口

10.0.0.5 www.yuchaoit.cn wordpress.yuchaoit.cn
posted @ 2023-08-31 11:57  村尚chun叔  阅读(158)  评论(0编辑  收藏  举报