部署Mvc Core SSL网站到Centos并用Nginx作为反向代理

1. 先在本地比如~/Downloads下建立MVC项目

2. 生成mvc使用的ssl证书


2.1. 生成.key文件

openssl genrsa -des3 -out server.key 2048

  

中间会提示输入密码(重复输入两次),要记住这个密码
这时会在目录下生成server.key文件。

2.2. 生成.crt文件
openssl req -new -x509 -key server.key -out server.crt -days 3650

  

会提示输入server.key的密码
开始输入Country Name:CN
State or Province Name:SH
Locality Name:shanghai
Organization Name:这个可以忽略
Organizational Unit Name:这个可以忽略
Common Name:这个可以忽略
Email Address:填写一个邮箱地址
这时会在目录下生成server.crt文件。

2.3. 生成.pfx文件
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt

  

提示输入server.key文件的密码
提示输入即将生成的.pfx文件的密码(需要输入两次)
这时会在目录下生成server.pfx文件。

3. 修改代码以启用https和使用证书
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Net;
using System.Threading.Tasks;
using Microsoft.AspNetCore;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.Logging;

namespace RemoteDemo
{
    public class Program
    {
        public static void Main(string[] args)
        {
            CreateWebHostBuilder(args).Build().Run();
        }

        public static IWebHostBuilder CreateWebHostBuilder(string[] args) =>
            WebHost.CreateDefaultBuilder(args)
                .UseKestrel(options =>
                {
                    options.Listen(IPAddress.Any, 5000);
                    options.Listen(IPAddress.Any, 5001, listenOptions =>
                    {
                    //之前生成的pfx文件拷贝到网站根目录,然后在IDE中设置"always copy"
                        listenOptions.UseHttps("server.pfx", "pfx password");
                    });
                })
                .UseStartup<Startup>();
    }
}

  

4. 安装nginx
sudo yum install epel-release

sudo yum install nginx
//配置自启动
sudo systemctl enable nginx  
sudo systemctl start nginx
//配置防火墙开放80和443
sudo firewall-cmd --permanent --zone=public --add-service=http 
sudo firewall-cmd --permanent --zone=public --add-service=https
sudo firewall-cmd --reload

  

5. 在服务器上生成nginx要使用的SSL证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/ssl/private/nginx-selfsigned.key -out /etc/ssl/certs/nginx-selfsigned.crt

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

  

6.修改Nginx的配置文件,默认在/etc/nginx/下
vim /etc/nginx/nginx.conf

  

示例如下

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }
    
    server {
            listen 443 ssl http2 default_server;
            listen [::]:443 ssl http2 default_server;
            ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
            ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
            ssl_dhparam /etc/ssl/certs/dhparam.pem;
                 location / {
                     proxy_pass http://localhost:5000;
                     proxy_http_version 1.1;
                     proxy_set_header Upgrade $http_upgrade;
                     proxy_set_header Connection keep-alive;
                     proxy_set_header Host $host;
                     proxy_cache_bypass $http_upgrade;
                 }
    }

# Settings for a TLS enabled server.
#
#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }

}

  

修改完毕后验证配置是否有效

nginx -t

  

重新启动nginx服务

systemctl restart nginx

  

7. 使用dotnet XXX.DLL启动mvc core项目,然后开启客户端浏览器访问即可
posted @ 2018-10-22 14:28  linkanyway  阅读(484)  评论(0编辑  收藏  举报