1、HTTPS单台配置-实战
1.1、nginx配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
server {
listen 443;
server_name cyc.com;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root /opt/code;
index index.html;
}
}
# 80端口,重定向至443端口
server {
listen 80;
server_name cyc.com;
return 302 https://$server_name$request_uri;
}
EOF
1.2、准备测试代码且重新加载nginx
echo "https" >/opt/code/index.html
systemctl restart nginx
1.3、测试访问
2、HTTPS集群配置-实践
2.1、架构图
2.2、环境主机准备
https-proxy 192.168.10.4
wordpress1 192.168.10.5
wordpress2 192.168.10.7
2.3、wordpress nginx配置
fastcgi_param HTTPS on;
# 如果要将wordpress的http方式改造为https方式,可能会造成页面加载不成功或着无法登陆。
2.3.1、wordpress1
]# cat /etc/nginx/conf.d/wordpress.conf
server {
listen 80;
server_name 192.168.10.5;
root /opt/wordpress;
index index.php index.html;
location ~ \.php$ {
try_files $uri =404;
root /opt/wordpress;
fastcgi_pass 192.168.10.5:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
2.3.2、wordpress2
]# cat /etc/nginx/conf.d/wordpress.conf
server {
listen 80;
server_name 192.168.10.7;
root /opt/wordpress;
index index.php index.html;
location ~ \.php$ {
try_files $uri =404;
root /opt/wordpress;
fastcgi_pass 192.168.10.7:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
2.4、Nginx负载均衡创建CA证书
2.5、Nginx+https+负载均衡-配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
upstream site {
server 192.168.10.5 max_fails=2 fail_timeout=10s;
server 192.168.10.7 max_fails=2 fail_timeout=10s;
}
server {
listen 443;
server_name cyc.com;
root /opt/wordpress;
index index.php index.html;
add_header Content-Security-Policy upgrade-insecure-requests;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://site;
include proxy_params;
}
}
# 80端口,重定向至443端口
server {
listen 80;
server_name cyc.com;
return 302 https://$server_name$request_uri;
}
EOF
systemctl restart nginx
2.6、测试访问
3、HTTPS优化配置实践
3.1、优化点
SSL的运行计算需要消耗额外的CPU资源,SSL通讯过程中『握手』阶段的运算最占用CPU资源,
有如下几个方面可以进行调整与优化。
1、设置worker进程数设置为等于CPU处理器的核心数。worker_processes auto;
2、启用keepalive长连接,一个连接发送更多个请求。
3、启用shared 会话缓存,所有worker工作进程之间共享的缓存,避免进行多次SSL握手。
4、禁用builtin 内置于OpenSSL中的缓存,仅能供一个worker工作进程使用。[使用shared缓存即禁止builtin]
3.2、优化后的nginx配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF'
upstream site {
server 192.168.10.5 max_fails=2 fail_timeout=10s;
server 192.168.10.7 max_fails=2 fail_timeout=10s;
}
server {
listen 443;
server_name cyc.com;
root /opt/wordpress;
index index.php index.html;
add_header Content-Security-Policy upgrade-insecure-requests;
ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
keepalive_timeout 60s;
ssl_session_cache shared:SLL:10m;
ssl_session_timeout 5m;
location / {
proxy_pass http://site;
include proxy_params;
}
}
# 80端口,重定向至443端口
server {
listen 80;
server_name cyc.com;
return 302 https://$server_name$request_uri;
}
EOF
# 配置属性解析
ssl_prefer_server_ciphers on; # Nginx决定使用哪些协议与浏览器进行通讯
keepalive_timeout 60s; # 设置长连接,建立握手后如果连接断开,在session_timeout时间内再次连接,无需再次建立握手,可直接复用之间缓存的连接。
ssl_session_cache shared:SLL:10m; # 1M缓存空间能存储4000个会话数量
ssl_session_timeout 30m; # 配置会话超时时间默认5分钟)
