单台实现https

单台实现https

使用openssl命令充当CA权威机构创建证书（生产不使用此方式生成证书，不被互联网认可的黑户证书）

# 检查有没有ssl模块
[root@web03 ~]# nginx -V

--with-http_ssl_module 

# 创建证书和私钥存放地址
[root@web03 ~]# mkdir /etc/nginx/ssl
[root@web03 ~]# cd /etc/nginx/ssl
[root@web03 ssl]# data +%Y%m%d%H%M%S
-bash: data: command not found
[root@web03 ssl]# date +%Y%m%d%H%M%S
20200604112251
[root@web03 ssl]#  openssl genrsa -idea -out $(date +%Y%m%d%H%M%S).key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
...+++
e is 65537 (0x10001)
Enter pass phrase for 20200604112307.key:
Verifying - Enter pass phrase for 20200604112307.key:
[root@web03 ssl]# ll
total 4
-rw-r--r-- 1 root root 1739 Jun  4 11:23 20200604112307.key
# 生成证书
[root@web03 ssl]#  openssl req -days 36500 -x509 \
> -sha256 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/20200604112307.key -out /etc/nginx/ssl/20200604112307.crt
Generating a 2048 bit RSA private key
..........................+++
...........................................+++
writing new private key to '/etc/nginx/ssl/20200604112307.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:henan
Locality Name (eg, city) [Default City]:puyang
Organization Name (eg, company) [Default Company Ltd]:zaijia
Organizational Unit Name (eg, section) []:wan
Common Name (eg, your name or your server's hostname) []:wzh.com （这里要填写真实的域名）
Email Address []:123@qq.com
[root@web03 ssl]# ll
total 8
-rw-r--r-- 1 root root 1375 Jun  4 11:30 20200604112307.crt
-rw-r--r-- 1 root root 1704 Jun  4 11:30 20200604112307.key

# 命令参数
# req  --> 用于创建新的证书
# new  --> 表示创建的是新证书    
# x509 --> 表示定义证书的格式为标准格式
# key  --> 表示调用的私钥文件信息
# out  --> 表示输出证书文件信息
# days --> 表示证书的有效期



# 编辑nginx配置文件
[root@web03 nginx]# cat conf.d/blog.wzh.com.conf 
server {
        listen 80;
        server_name hhh.wzh.com;
        return 302 https://$server_name$request_uri;
}
server {
	listen 443 ssl;
	server_name hhh.wzh.com;
	ssl_certificate    /etc/nginx/ssl/20200604112307.crt;
        ssl_certificate_key /etc/nginx/ssl/20200604112307.key;

	location / {
		root /opt/wzh;
		index index.html;
	}
}

# 检测语法
nginx -t
# 重新加载
systemctl reload nginx
# 创建站点目录
[root@web03 nginx]# mkdir /opt/wzh
# 编辑nginx页面
[root@web03 nginx]# cat /opt/wzh/index.html 
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>my website</title>
</head>
<body>
<article>
  <header>
    <h1>被钓鱼网站</h1>
    <p>创建时间：<time pubdate="pubdate">2020/6/4</time></p>
  </header>
  <p>
    <b>标题：</b>啥也不是
  </p>
  <footer>
    <p><small>改着玩呗</small></p>
  </footer>
</article>
</body>
</html>

# 域名解析
# 浏览器访问