HTTPS

网站实现https访问

第一个历程：检查网站环境是否满足

nginx程序必须有支持证书功能的ssl模块（有下面这个模块就可以支持HTTPS）

--with-http_ssl_module

检查：

[root@web01 ~]# nginx -V

nginx version: nginx/1.16.0

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --coor-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --loclient-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --ust --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_modutp_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-httlink_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module--with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_prerepe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-swiwith-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'

第二个历程：创建存放ssl证书的路径

[root@web01 ~]# mkdir -p /etc/nginx/ssl_key

[root@web01 ~]# cd /etc/nginx/ssl_key/

第三个历程：使用openssl命令充当CA权威承认的黑户证书

ps：生产不可能使用的此方法的生成证书，不被互联网CA承认的黑户证书

(执行下面这条命令生成私钥)
[root@web01 ~]#openssl   genrsa -idea  -out server.key 2048
                                               （生成私钥） 2048代表设置密码的长度
下面是这条命令的单独解释：
创建私钥的命令    代表创建一个私钥     指定私钥加密算法    把生成的信息指定一个路径     存放的私钥的文件```

[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048

Generating RSA private key, 2048 bit long modulus

................+++

............................+++

e is 65537 (0x10001)

Enter pass phrase for server.key: （给这个证书设置个密码）

Verifying - Enter pass phrase for server.key: （在输入一遍）

然后查看当前目录，已经生成

[root@web01 /etc/nginx/ssl_key]# ll

total 4

-rw-r--r-- 1 root root 1747 Jun 19 15:53 server.key

第四个历程：生成自签证书，同时去掉私钥的密码

[root@web01 ~]#openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

参数信息

req：创建证书

-days：证书的有效期

-x509：定义证书的格式信息

-sha256 ：公钥证书的加密算法

-nodes -newkey：去掉私钥文件的密码信息

-keyout：加载私钥文件

-out ：输出生成证书的文件（假的）

server.crt：识别一个私钥，把一个私钥生成证书的信息指定到一个文件里

执行过程的详解

[root@web01 /etc/nginx/ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

Generating a 2048 bit RSA private key

..............................................................................................................+++

...............................+++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]: cn （在哪个国家使用）

State or Province Name (full name) []:bj （省份）

Locality Name (eg, city) [Default City]:bj （城市）

Organization Name (eg, company) [Default Company Ltd]:oldboy （公司）

Organizational Unit Name (eg, section) []:it （使用这个证书的部门）

Common Name (eg, your name or your server's hostname) []:oldboy （给哪个主机用）

Email Address []:333@qq.com （邮箱地址）

生成私钥与证书,并检查：

[root@web01 /etc/nginx/ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1350 Jun 19 16:16 server.crt
-rw-r--r-- 1 root root 1708 Jun 19 16:16 server.key

第五个历程：证书申请完成后需要让nginx服务进行加载

下面是参数

1、是否开启证书功能

Syntax：ssl on|off； 是否开启证书

Default： ssl off；

Context ： http ，server

2、加载ssl crt证书文件存放路径

Syntax：ssl_certifacate file；

Default： -

Context ： http ，server

3、加载ssl key私钥文件存放路径

Syntax：ssl_certifacate_key file；

Default： -

Context ： http ，server

然后 在server下面添加三行，修改监听端口，改成443，在浏览器输入[https://www.oldboy.com/](https://www.oldboy.com/)即可

ssl on;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;

这是我在web01测试的文件,

[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
      listen 443;
      server_name www.oldboy.com;
      ssl on;
      ssl_certificate ssl_key/server.crt;
      ssl_certificate_key ssl_key/server.key;
      access_log /var/log/nginx/access_www.log main;
      root /usr/share/nginx/html/www;

location / {
      index index.php index.html index.htm;
    }

location ~* \.(php|php5)$ {
      fastcgi_pass 127.0.0.1:9000;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME 
      $document_root$fastcgi_script_name;
      include fastcgi_params;
   }
}

但是在测试的时候，如果不加https，他自动是不跳转的

第六个历程：实现HTTP到HTTPS跳转的访问效果

server {
     listen 80;  
     server_name www.oldboy.com;
     #rewrite ^/(.*) [https://www.oldboy.com/](https://www.oldboy.com/)$1 redirect;
     return 302 https://$server_name$request_uri;
}

最终的配置文件

[root@web01 /etc/nginx/conf.d]# vim www.conf
server {
listen 80;
      server_name www.oldboy.com;
      #rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
      return 302 https://$server_name$request_uri;
 }

server {
    listen 443 ssl;
    server_name www.oldboy.com;
    ssl on;
    ssl_certificate         ssl_key/server.crt;
    ssl_certificate_key     ssl_key/server.key;
    access_log /var/log/nginx/access_www.log main;
    root /usr/share/nginx/html/www;
location / {
     index index.php index.html index.htm;
}
location ~* \.(php|php5)$ {
     fastcgi_pass 127.0.0.1:9000;
     fastcgi_index index.php;
     fastcgi_param SCRIPT_FILENAME 
     $document_root$fastcgi_script_name;
     include fastcgi_params;
 }
 }
}

至此，是单台的HTTPS的搭建与测试。

实现网站多台服务器实现HTTPS访问nginx

在负载均衡服务器上配置私钥与证书

首先配置主配置文件，具体内容如下。
[root@lb01 ~]# cat /etc/nginx/nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}

http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;

#tcp_nopush on;

keepalive_timeout 65;

#gzip on;

upstream web_pools {
# ip_hash;
server 10.0.0.7:443 weight=2 max_fails=3 fail_timeout=10s;
server 10.0.0.8:443 weight=1 max_fails=3 fail_timeout=10s;
}

#include /etc/nginx/conf.d/*.conf;

server {
     listen 80;
     server_name www.oldboy.com;
     #rewrite ^/(.*) https://www.oldboy.com/$1 redirect;
     return 302 https://$server_name$request_uri;
}

server {
      listen 443 ssl;
      server_name www.oldboy.com;
      ssl on ;
      ssl_certificate ssl_key/server.crt;
     ssl_certificate_key ssl_key/server.key;
location / {
    proxy_pass https://web_pools;
    include proxy_params;
 }
}

然后将web01的私钥与证书拉过来，拉到和上面在web01一样的路径中。

[root@lb01 ~]#scp -rp 172.16.1.7:/etc/nginx/ssl_key ./

下面这个是个优化，可做可不做。

[root@lb01 ~]# cat hh.txt
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_connect_timeout 30;
proxy_send_timeout 60;
proxy_read_timeout 60;
proxy_buffer_size 32k;
proxy_buffering on;
proxy_buffers 4 128k;
proxy_busy_buffers_size 256k;
proxy_max_temp_file_size 256k;

在web上面把配置文件的跳转注释掉就OK了.

最终做完在优化一下，优化成企业的需求的类型
优化完lb01的配置文件

[root@lb01 ~]# cat /etc/nginx/nginx.conf
user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

    upstream web_pools {
   # ip_hash;
    server   10.0.0.7:80   weight=2   max_fails=3  fail_timeout=10s;
    server   10.0.0.8:80   weight=1   max_fails=3  fail_timeout=10s;
    }

    #include /etc/nginx/conf.d/*.conf;
server   {
    listen       80;
    server_name  www.oldboy.com;
    #rewrite   ^/(.*)   https://www.oldboy.com/$1  redirect;
    return  302       https://$server_name$request_uri;
}


     server {
     listen   443 ssl;
     server_name  www.oldboy.com;
    ssl  on ; 
    ssl_certificate        ssl_key/server.crt;
    ssl_certificate_key    ssl_key/server.key;

     location / {
     proxy_pass  http://web_pools;
     include proxy_params;
     }
}
}

优化完的web配置文件

[root@web01 ~]# cat /etc/nginx/conf.d/www.conf 
server   {
    listen      80;
    server_name  www.oldboy.com;
    # ssl  on;
    #ssl_certificate        ssl_key/server.crt;
    #ssl_certificate_key    ssl_key/server.key;
    access_log  /var/log/nginx/access_www.log  main;
    root   /usr/share/nginx/html/www;
    location / {
    index  index.php index.html index.htm;
    }
   location ~* \.(php|php5)$ {
       fastcgi_pass   127.0.0.1:9000;
       fastcgi_index  index.php;
       fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
       include        fastcgi_params;
   }

}

补充：
01. 后端没有配置HTTPS功能时，前端如果是HTTPS有时加载后端页面会有问题
解决方式，在后端配置文件添加上：fastcgi_param HTTPS on;