HTTPS协议搭建
在服务器上生成ssl证书
源文连接:https://www.cnblogs.com/clsn/p/7793682.html
1.下载软件
yum install -y openssl openssl-devel
2.生成证书
[root@lb01 backup]# openssl req -new -x509 -nodes -out server.crt -keyout server.key
Generating a 2048 bit RSA private key
......................................................+++
...................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CH #国家名称
State or Province Name (full name) []:bj #省
Locality Name (eg, city) [Default City]:bj #市
Organization Name (eg, company) [Default Company Ltd]:ZNIX #组织名称
Organizational Unit Name (eg, section) []:ZNIX #组织名称
Common Name (eg, your name or your server's hostname) []:ZNIX #服务器名称
Email Address []:ADMIN@ZNIX.TOP #邮箱
查看产生的证书
[root@lb01 backup]# ls
server.crt server.key
生成的密钥文件
[root@lb01 backup]# ll
total 8
-rw-r--r-- 1 root root 1375 Nov 6 14:07 server.crt
-rw-r--r-- 1 root root 1704 Nov 6 14:07 server.key
3.创建一个目录
将生成的证书推送到/etc/nginx/ssl_key下
mkdir -p /etc/nginx/ssl_key
除去密码
openssl rsa -in server.key -out server.key
4.修改nginx配置文件
为了配置文件中不那么乱,直接把参数写到一个文件中,直接include调用就可以了
创建一个内置变量的文件:
[root@lb01]# vim /etc/nginx/proxy_params
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 32k;
proxy_buffering on;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;
[root@lb01]# vim /etc/nginx/nginx.conf
...
upstream web_pools {
server 10.0.0.7:80 weight=1 max_fails=3 fail_timeout=10s;
server 10.0.0.8:80 weight=1 max_fails=3 fail_timeout=10s;
}
# include /etc/nginx/conf.d/*.conf;
server {
listen 80;
server_name zh.etiantian.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name zh.etiantian.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
proxy_next_upstream http_404 http_502;
location / {
proxy_pass http://web_pools;
include proxy_params;
}
}
server {
listen 80;
server_name cms.etiantian.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name cms.etiantian.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
proxy_next_upstream http_404 http_502;
location / {
proxy_pass http://web_pools;
include proxy_params;
}
}
server {
listen 80;
server_name kdy.etiantian.com;
return 302 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name kdy.etiantian.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
proxy_next_upstream http_404 http_502;
location / {
proxy_pass http://web_pools;
include proxy_params;
}
}
}
5.去web服务器上添加
fastcgi_param HTTPS on
每个网站代码都添加相同,此处列举一个
[root@web01]# cat /etc/nginx/conf.d/01-blog.conf
server {
listen 80;
server_name zh.etiantian.com;
access_log /app/log/nginx/access_blog.log main;
root /app/nginx/html/blog/;
location / {
index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param HTTPS on; #添加这一行,不然假证书不识别,认为不安全网站
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
若lb上设置了nginx关闭---关闭keepalived脚本,还需要启动keepalived
多个站点使用同一个证书就好。
[16:13 root@lb01 nginx]# systemctl restart keepalived.service
网友评论