Nginx-https实践
1、HTTPS单台配置-实战
1.1、nginx配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF' server { listen 443; server_name cyc.com; ssl on; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root /opt/code; index index.html; } } # 80端口,重定向至443端口 server { listen 80; server_name cyc.com; return 302 https://$server_name$request_uri; } EOF
1.2、准备测试代码且重新加载nginx
echo "https" >/opt/code/index.html systemctl restart nginx
1.3、测试访问
2、HTTPS集群配置-实践
2.1、架构图
2.2、环境主机准备
https-proxy 192.168.10.4 wordpress1 192.168.10.5 wordpress2 192.168.10.7
2.3、wordpress nginx配置
fastcgi_param HTTPS on;
# 如果要将wordpress的http方式改造为https方式,可能会造成页面加载不成功或着无法登陆。
2.3.1、wordpress1
]# cat /etc/nginx/conf.d/wordpress.conf server { listen 80; server_name 192.168.10.5; root /opt/wordpress; index index.php index.html; location ~ \.php$ { try_files $uri =404; root /opt/wordpress; fastcgi_pass 192.168.10.5:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; include fastcgi_params; } }
2.3.2、wordpress2
]# cat /etc/nginx/conf.d/wordpress.conf server { listen 80; server_name 192.168.10.7; root /opt/wordpress; index index.php index.html; location ~ \.php$ { try_files $uri =404; root /opt/wordpress; fastcgi_pass 192.168.10.7:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on; include fastcgi_params; } }
2.4、Nginx负载均衡创建CA证书
2.5、Nginx+https+负载均衡-配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF' upstream site { server 192.168.10.5 max_fails=2 fail_timeout=10s; server 192.168.10.7 max_fails=2 fail_timeout=10s; } server { listen 443; server_name cyc.com; root /opt/wordpress; index index.php index.html; add_header Content-Security-Policy upgrade-insecure-requests; ssl on; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://site; include proxy_params; } } # 80端口,重定向至443端口 server { listen 80; server_name cyc.com; return 302 https://$server_name$request_uri; } EOF systemctl restart nginx
2.6、测试访问
3、HTTPS优化配置实践
3.1、优化点
SSL的运行计算需要消耗额外的CPU资源,SSL通讯过程中『握手』阶段的运算最占用CPU资源, 有如下几个方面可以进行调整与优化。 1、设置worker进程数设置为等于CPU处理器的核心数。worker_processes auto; 2、启用keepalive长连接,一个连接发送更多个请求。 3、启用shared 会话缓存,所有worker工作进程之间共享的缓存,避免进行多次SSL握手。 4、禁用builtin 内置于OpenSSL中的缓存,仅能供一个worker工作进程使用。[使用shared缓存即禁止builtin]
3.2、优化后的nginx配置
cat >/etc/nginx/conf.d/ssl.conf<<'EOF' upstream site { server 192.168.10.5 max_fails=2 fail_timeout=10s; server 192.168.10.7 max_fails=2 fail_timeout=10s; } server { listen 443; server_name cyc.com; root /opt/wordpress; index index.php index.html; add_header Content-Security-Policy upgrade-insecure-requests; ssl on; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; keepalive_timeout 60s; ssl_session_cache shared:SLL:10m; ssl_session_timeout 5m; location / { proxy_pass http://site; include proxy_params; } } # 80端口,重定向至443端口 server { listen 80; server_name cyc.com; return 302 https://$server_name$request_uri; } EOF
# 配置属性解析 ssl_prefer_server_ciphers on; # Nginx决定使用哪些协议与浏览器进行通讯 keepalive_timeout 60s; # 设置长连接,建立握手后如果连接断开,在session_timeout时间内再次连接,无需再次建立握手,可直接复用之间缓存的连接。 ssl_session_cache shared:SLL:10m; # 1M缓存空间能存储4000个会话数量 ssl_session_timeout 30m; # 配置会话超时时间默认5分钟)