@nginx及配置https

0|1文章目录

• • 一、rewrite伪静态实例
  • • 1.搭建discuz
    • 2.rewrite规则补充
    • • 1）rewrite匹配优先级
      • 2）rewrite的全局变量
  • 二、HTTPS
  • • 1.模拟网站被篡改
    • 2.HTTPS证书类型
    • • 1）购买证书选择
      • 2）HTTPS证书注意事项
    • 3.单台服务器配置HTTPS
    • • 1）生成证书
      • 2)配置证书
  • 三、全站HTTPS
  • • 1.环境准备
    • 2.配置web服务器（两台）
    • 3.推送、上传证书文件
    • 4.配置负载均衡机器nginx
    • 5.配置hosts，访问测试
  • 四、项目全站HTTPS
  • • 1.配置web端博客nginx配置文件
    • 2.配置web端知乎的配置文件
    • 3.配置负载均衡
    • 4.配置hosts访问测试
    • 5.配置web端phpmyadmin
    • 6.配置负载均衡phpmyadmin
  • 五、阿里云配置https

1|0一、rewrite伪静态实例

1|11.搭建discuz

server {
    listen 80;
    server_name discuz.linux.com;
    location / {
        root /code/discuz/upload;
        index index.php;
        rewrite ^([^\.]*)/topic-(.+)\.html$ $1/portal.php?mod=topic&topic=$2 last;
        rewrite ^([^\.]*)/article-([0-9]+)-([0-9]+)\.html$ $1/portal.php?mod=view&aid=$2&page=$3 last;
        rewrite ^([^\.]*)/forum-(\w+)-([0-9]+)\.html$ $1/forum.php?mod=forumdisplay&fid=$2&page=$3 last;
        rewrite ^([^\.]*)/thread-([0-9]+)-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=viewthread&tid=$2&extra=page%3D$4&page=$3 last;
        rewrite ^([^\.]*)/group-([0-9]+)-([0-9]+)\.html$ $1/forum.php?mod=group&fid=$2&page=$3 last;
        rewrite ^([^\.]*)/space-(username|uid)-(.+)\.html$ $1/home.php?mod=space&$2=$3 last;
        rewrite ^([^\.]*)/blog-([0-9]+)-([0-9]+)\.html$ $1/home.php?mod=space&uid=$2&do=blog&id=$3 last;
        rewrite ^([^\.]*)/(fid|tid)-([0-9]+)\.html$ $1/archiver/index.php?action=$2&value=$3 last;
        rewrite ^([^\.]*)/([a-z]+[a-z0-9_]*)-([a-z0-9_\-]+)\.html$ $1/plugin.php?id=$2:$3 last;
        if (!-e $request_filename) {
            return 404;
        }
    }
    location ~* \.php$ {
        root /code/discuz/upload;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

语法为 if (condition) {…}     #对给定的条件condition进行判断。
如果为真，大括号内的rewrite指令将被执行，if条件(conditon)可以是如下任何内容：

  a:当表达式只是一个变量时，如果值为空或任何以0开头的字符串都会当做false，其他情况为true。
  b: 直接比较变量和内容时，使用 = 或!=
  if ($http_host = mumusir.com) {
  		rewrite (.*) http://www.mumusir.com
  }
  c: 正则表达式匹配，*不区分大小写的匹配，!和!*反之。

注意：使用正则表达式字符串一般不需要加引号，但是如果含有右花括号“}”或者分号“；”字符时，必须要给整个正则表达式加引号

其他指令：
-f和!-f用来判断请求文件是否存在
-d和!-d用来判断请求目录是否存在
-e和!-e用来判断是请求的文件或者目录否存在
-x和!-x用来判断请求的文件是否可执行

1|22.rewrite规则补充

1|01）rewrite匹配优先级

1.首先执行server模块的rewrite
2.根据location匹配规则顺序先匹配location
3.最后执行location中的rewrite

server {
    listen 80;
    server_name discuz.linux.com;
	rewrite ^(.*)$ http://www.mumusir.com;
	access_log /var/log/1.log
    location =/ {
        rewrite ^(.*)$ http://www.baidu.com;
        access_log /var/log/2.log
    }
    location /test {
    	rewrite ^(.*)$ http://www.jingdong.com;
    	access_log /var/log/3.log
    }
}

#日志文件从外往里读取，生效顺序是从里向外依次生效；
#rewrite规则，从外往里读取，生效顺序也是从外往里依次生效，只要遇到rewrite直接生效；

1|02）rewrite的全局变量

$server_name  #当前域名
$request_filename  #带站点的网站目录和文件
$request_uri  #不带站点的网站目录和文件

server {
	listen 80;
	server_name www.linux.com;
	root /code;
	return 302 https://$server_name$request_uri;
}

http://www.linux.com/test/1.txt
$server_name = www.linux.com
$request_filename = /code/test/1.txt
$request_uri = /test/1.txt

https://www.linux.com/test/1.txt

2|0二、HTTPS

2|11.模拟网站被篡改

2|22.HTTPS证书类型

1|01）购买证书选择

1.保护一个域名   www.mumusir.com
2.保护多个域名   www.  test.   cdn.  image.   class.
3.保护通配符域名  *.mumusir.com

1|02）HTTPS证书注意事项

1.https不支持续费，证书到期需要重新申请并进行替换 
2.https不支持三级域名解析，如 test.m.haoda.com 
3.https显示绿色，说明整个网站的url都是https的
	https显示黄色，因为网站代码中包含http的不安全链接
	https显示红色，那么证书是假的或者证书过期。

2|33.单台服务器配置HTTPS

1|01）生成证书

[root@web01 ~]# cd /etc/nginx/ssl_key/
[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
[root@web01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1375 Mar  5 15:15 server.crt
-rw-r--r-- 1 root root 1704 Mar  5 15:15 server.key
[root@web01 ssl_key]# 

1|02)配置证书

server {
    listen 443 ssl;
    server_name s.linux.com;
    #ssl on;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        root /code/https;
        index index.html;
    }
}


server {
    listen 80;
    server_name s.linux.com;
    #rewrite (.*) https://$server_name$1 redirect;
    return 302 https://$server_name$request_uri;
}

3|0三、全站HTTPS

3|11.环境准备

主机	外网IP	内网IP	身份
lb01	10.0.0.4	172.16.1.4	负载均衡
web01		172.16.1.7	web服务器
web02		172.16.1.8	web服务器

3|22.配置web服务器（两台）

[root@web01 conf.d]# vim s.linux.com.conf 
server {
    listen 80;
    server_name s.linux.com;

    location / {
        root /code/https;
        index index.html;
    }
}
[root@web01 conf.d]# systemctl restart nginx

#同步配置文件
[root@web01 conf.d]# scp s.linux.com.conf 172.16.1.8:/etc/nginx/conf.d/

#配置站点目录文件
[root@web01 conf.d]# mkdir /code/https
[root@web01 conf.d]# echo "https1111" > /code/https/index.html
[root@web02 conf.d]# mkdir /code/https
[root@web02 conf.d]# echo "https2222" > /code/https/index.html
[root@web01 conf.d]# chown -R www.www /code/https/
[root@web02 conf.d]# chown -R www.www /code/https/

3|33.推送、上传证书文件

[root@web01 conf.d]# scp -r /etc/nginx/ssl_key 172.16.1.4:/etc/nginx/

3|44.配置负载均衡机器nginx

[root@lb01 conf.d]# vim s.linux.com.conf
upstream webserver {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

server {
    listen 443 ssl;
    server_name s.linux.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://webserver;
        proxy_set_header host $http_host;
    }
}

server {
    listen 80;
    server_name s.linux.com;
    return 302 https://$server_name$request_uri;
}

3|55.配置hosts，访问测试

4|0四、项目全站HTTPS

4|11.配置web端博客nginx配置文件

[root@web01 conf.d]# vim blog.linux.com.conf 
server {
    listen 80;
    server_name blog.linux.com;

    location / {
        root /code/wordpress;
        index index.php;
    }

    location ~* \.php$ {
        root /code/wordpress;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

[root@web01 conf.d]# scp blog.linux.com.conf 172.16.1.8:/etc/nginx/conf.d/

4|22.配置web端知乎的配置文件

[root@web01 conf.d]# vim zh.linux.com.conf 
server {
    listen 80;
    server_name zh.linux.com;

    location / {
        root /code/wecenter;
        index index.php;
    }

    location ~* \.php$ {
        root /code/wecenter;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

[root@web01 conf.d]# scp zh.linux.com.conf 172.16.1.8:/etc/nginx/conf.d/

4|33.配置负载均衡

[root@lb01 conf.d]# vim proxy_https.conf
upstream web {
    server 172.16.1.7:80;
    server 172.16.1.8:80;
}

server {
    listen 443 ssl;
    server_name blog.linux.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://web;
        include proxy_params;
    }
}

server {
    listen 80;
    server_name blog.linux.com;
    return 302 https://$server_name$request_uri;
}

server {
    listen 443 ssl;
    server_name zh.linux.com;
 	ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://web;
        include proxy_params;
    }
}

server {
    listen 80;
    server_name zh.linux.com;
    return 302 https://$server_name$request_uri;
}

[root@lb01 conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb01 conf.d]# systemctl restart nginx

4|44.配置hosts访问测试

#页面格式混乱，代理到php的时候开启HTTPS模式
server {
	... ...

    location ~* \.php$ {
        root /code/wecenter;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        #开启https模式
        fastcgi_param HTTPS on;
        include fastcgi_params;
    }
}

4|55.配置web端phpmyadmin

[root@web01 conf.d]# vim phpmyadmin.conf 
server {
    listen 80;
    server_name php.linux.com;

    location / {
        root /code/phpmyadmin;
        index index.php;
    }

    location ~ \.php$ {
        root /code/phpmyadmin;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
}

[root@web01 conf.d]# scp phpmyadmin.conf 172.16.1.8:/etc/nginx/conf.d/

4|66.配置负载均衡phpmyadmin

[root@lb01 conf.d]# vim phpmyadmin_proxy.conf 
upstream phpmyadmin {
    server 10.0.0.7;
    server 10.0.0.8;
}

server {
    listen 443 ssl;
    server_name php.linux.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;

    location / {
        proxy_pass http://phpmyadmin;
        include proxy_params;
    }
}

server {
    listen 80;
    server_name php.linux.com;
    return 302 https://$server_name$request_uri;
}

[root@lb01 conf.d]# systemctl restart nginx

5|0五、阿里云配置https

1.购买云主机
2.解析域名
3.申请域名对应的https证书
4.将https证书部署到服务器

__EOF__

本文作者：ଲ小何才露煎煎饺
本文链接：https://www.cnblogs.com/zeny/p/15121605.html
关于博主：评论和私信会在第一时间回复。或者直接私信我。
版权声明：本博客所有文章除特别声明外，均采用 BY-NC-SA 许可协议。转载请注明出处！
声援博主：如果您觉得文章对您有帮助，可以点击文章右下角【推荐】一下。您的鼓励是博主的最大动力！