Nginx-https实践

1、HTTPS单台配置-实战

1.1、nginx配置

cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
server {
  listen 443;
  server_name cyc.com;
  ssl on;
  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;
  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  location / {
    root /opt/code;
    index index.html;
  }
}
# 80端口,重定向至443端口
server {
  listen 80;
  server_name cyc.com;
  return 302 https://$server_name$request_uri;
}
EOF

1.2、准备测试代码且重新加载nginx

echo "https" >/opt/code/index.html 
systemctl restart nginx

1.3、测试访问

2、HTTPS集群配置-实践

2.1、架构图

2.2、环境主机准备

https-proxy 192.168.10.4
wordpress1  192.168.10.5
wordpress2  192.168.10.7

2.3、wordpress nginx配置

fastcgi_param        HTTPS    on;

# 如果要将wordpress的http方式改造为https方式,可能会造成页面加载不成功或着无法登陆。

 

2.3.1、wordpress1

]# cat /etc/nginx/conf.d/wordpress.conf 
server {
    listen  80;
    server_name 192.168.10.5;
    root /opt/wordpress;
    index index.php index.html;

    location ~ \.php$ {
          try_files $uri =404;
          root /opt/wordpress;
          fastcgi_pass 192.168.10.5:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; include fastcgi_params; } }

2.3.2、wordpress2

]# cat /etc/nginx/conf.d/wordpress.conf 
server {
    listen  80;
    server_name 192.168.10.7;
    root /opt/wordpress;
    index index.php index.html;

    location ~ \.php$ {
          try_files $uri =404;
          root /opt/wordpress;
          fastcgi_pass 192.168.10.7:9000;
          fastcgi_index index.php;
          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; include fastcgi_params; } }

2.4、Nginx负载均衡创建CA证书

2.5、Nginx+https+负载均衡-配置

cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
upstream site {
  server 192.168.10.5 max_fails=2 fail_timeout=10s;
  server 192.168.10.7 max_fails=2 fail_timeout=10s;
}
server {
  listen 443;
  server_name cyc.com;
  root /opt/wordpress;
  index index.php index.html;
  add_header Content-Security-Policy upgrade-insecure-requests;
  ssl on;
  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;
  ssl_session_timeout 5m;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  location / {
    proxy_pass http://site;
    include proxy_params;
  }
}
# 80端口,重定向至443端口
server {
  listen 80;
  server_name cyc.com;
  return 302 https://$server_name$request_uri;
}
EOF
systemctl restart nginx

2.6、测试访问

3、HTTPS优化配置实践

3.1、优化点

SSL的运行计算需要消耗额外的CPU资源,SSL通讯过程中『握手』阶段的运算最占用CPU资源,
有如下几个方面可以进行调整与优化。
1、设置worker进程数设置为等于CPU处理器的核心数。worker_processes auto;
2、启用keepalive长连接,一个连接发送更多个请求。
3、启用shared 会话缓存,所有worker工作进程之间共享的缓存,避免进行多次SSL握手。
4、禁用builtin 内置于OpenSSL中的缓存,仅能供一个worker工作进程使用。[使用shared缓存即禁止builtin]

3.2、优化后的nginx配置 

cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
upstream site {
  server 192.168.10.5 max_fails=2 fail_timeout=10s;
  server 192.168.10.7 max_fails=2 fail_timeout=10s;
}
server {
  listen 443;
  server_name cyc.com;
  root /opt/wordpress;
  index index.php index.html;
  add_header Content-Security-Policy upgrade-insecure-requests;
  ssl on;
  ssl_certificate ssl_key/server.crt;
  ssl_certificate_key ssl_key/server.key;
  ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
  ssl_protocols TLSv1.1 TLSv1.2;
  ssl_prefer_server_ciphers on;
  keepalive_timeout 60s;
  ssl_session_cache shared:SLL:10m;
  ssl_session_timeout 5m;
  location / {
    proxy_pass http://site;
    include proxy_params;
  }
}
# 80端口,重定向至443端口
server {
  listen 80;
  server_name cyc.com;
  return 302 https://$server_name$request_uri;
}
EOF
# 配置属性解析 ssl_prefer_server_ciphers on; # Nginx决定使用哪些协议与浏览器进行通讯 keepalive_timeout 60s; # 设置长连接,建立握手后如果连接断开,在session_timeout时间内再次连接,无需再次建立握手,可直接复用之间缓存的连接。 ssl_session_cache shared:SLL:10m; # 1M缓存空间能存储4000个会话数量 ssl_session_timeout 30m; # 配置会话超时时间默认5分钟)

 

posted @ 2023-05-03 10:08  小粉优化大师  阅读(39)  评论(0编辑  收藏  举报