Https的基本概述
Https证书
集群架构实现全站Https
一、Https的基本概述
1.什么是Https
HTTPS(超文本传输安全协议),是以安全为目标的HTTP通道,简单讲是HTTP的安全版。即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。 它是一个URI scheme(抽象标识符体系)。用于安全的HTTP数据传输。https:URL表明它使用了HTTP,但HTTPS存在不同于HTTP的默认端口及一个加密/身份验证层(在HTTP与TCP之间)。
2.为什么要使用Https
参考https://blog.csdn.net/qq_33301113/article/details/78725960
二、Https证书
PS:HTTPS注意事项
Https不支持续费,证书到期需重新申请新并进行替换。
Https不支持三级域名解析,如 test.m.oldboy.com。
Https显示绿色,说明整个网站的url都是https的,并且都是安全的。
Https显示黄色,说明网站代码中有部分URL地址是http不安全协议的。
Https显示红色,要么证书是假的,要么证书已经过期。
1.创建存放ssl证书的路径
[root@lb01~]# mkdir -p /etc/nginx/ssl_key
[root@lb01 ~]# cd /etc/nginx/ssl_key
2.生成证书
[root@lb01 ~]# openssl genrsa -idea -out server.key 2048
3.生成自签证书,同时去掉私钥的密码
[root@lb01 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
4.配置nginx
[root@lb01 conf.d]# cat s.oldux.com.conf
server {
listen 443 ssl;
server_name s.oldxu.com;
root /code;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
index index.html;
}
}
server {
listen 80;
server_name s.oldxu.com;
return 302 https://$http_host$request_uri;
}
总结:
- 先配置好后端的web节点(fastcgi_param HTTPS on;)
- 在负载均衡上申请证书
- 配置nginx负载均衡--->http协议
- 配置域名劫持
- 配置nginx负载均衡--->转为https协议
三、集群架构实现https
# 先配置好后端的web节点
[root@web02 conf.d]# cat blog.wyw.com.conf
server {
listen 80;
server_name blog.wyw.com;
root /code/wordpress;
client_max_body_size 100m;
location / {
index index.php;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}
# 配置负载均衡
[root@lb01 conf.d]# cat proxy_blog.wyw.com.conf
upstream blog {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
server_name blog.wyw.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://blog;
proxy_next_upstream error timeout http_500 http_502 http_503;
include proxy_params;
}
}
server {
listen 80;
server_name blog.wyw.com;
return 302 https://$http_host$request_uri;
}
5.部分URL走https,部分不走https?
[root@lb01 conf.d]# cat proxy_s.oldxu.com.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.oldxu.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.oldxu.com;
if ($request_uri ~* "^/login") {
return 302 https://$http_host$request_uri;
}
location / {
proxy_pass http://webs;
include proxy_params;
}
}
6.当用户请求s.oldxu.com/abc时走http,其他的所有都走https
[root@lb01 conf.d]# cat proxy_s.oldxu.com.conf
upstream webs {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.oldxu.com;
location / {
proxy_pass http://webs;
include proxy_params;
}
}
server {
listen 80;
server_name s.oldxu.com;
if ($request_uri !~* "^/abc") {
return 302 https://$http_host$request_uri;
}
location / {
proxy_pass http://webs;
include proxy_params;
}
}
7.https优化相关的参数
server {
listen 443 ssl;
server_name nginx.bjstack.com;
ssl_certificate ssl_key/1524377920931.pem;
ssl_certificate_key ssl_key/1524377920931.key;
ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接,在session_timeout时间内再次连接,是不需要在次建立握手,可以复用之前的连接
ssl_session_timeout 1440m; #ssl连接断开后的超时时间
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用的TLS版本协议
ssl_prefer_server_ciphers on; #Nginx决定使用哪些协议与浏览器进行通讯
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套间
l ocation / {
root /soft/code;
index index.html index.htm;
}
}
server {
listen 80;
server_name nginx.bjstack.com;
return 302 https://$server_name$request_uri;
}
举例:
- 公司网站在停机维护时,指定的IP能够正常访问,其他的IP跳转到维护页。10.0.0.1 10.0.0.100
[root@web01 conf.d]# cat s.oldux.com.conf
server {
listen 80;
server_name s.oldxu.com;
root /data;
set $ip 0;
if ($remote_addr ~* "10.0.0.1|10.0.0.100"){
set $ip 1;
}
if ($ip = "0"){
rewrite ^(.*)/$ /wh.png break;
}
location / {
index index.html;
}
}
网友评论