Nginx配置https
指尖二进制 • 1 年前 • 766 次点击 • NGINX
在未使用SSL证书对服务器数据进行加密认证的情况下,用户的数据将会以明文的形式进行传输,这样一来使用抓包工具是可以获取到用户密码信息的,非常危险。而且也无法验证数据一致性和完整性,不能确保数据在传输过程中没被改变。所以网站如果有涉及用户账户等重要信息的情况下通常要配置使用SSL证书,实现https协议。
在生产环境中的SSL证书都需要通过第三方认证机构购买,分为专业版OV证书(浏览器地址栏上不显示企业名称)和高级版EV(可以显示企业名称)证书,证书所保护的域名数不同也会影响价格(比如只对www认证和通配*认证,价格是不一样的),且不支持三级域名。测试中可以自己作为证书颁发机构来制作证书,浏览器会显示为红色,代表证书过期或者无效,如果是黄色的话代表网站有部分连接使用的仍然是http协议。
不管使用哪种方法,在拿到证书后对Nginx的配置都是一样的,所以这里以搭建OpenSSL并制作证书来进行完整说明
一:准备环境
1)安装lnmp服务
https://nginx.org/packages/centos/7
yum install -y nginx-1.8.0-1.el7.ngx.x86_64.rpm
yum install -y epel-release
yum install -y remi-release-7.rpm
yum install --enablerepo=remi --enablerepo=remi-php56 php php-fpm php-opcache php-devel php-mbstring php-mcrypt php-pear php-mysqlnd php-phpunit-PHPUnit php-pecl-xdebug php-pecl-xhprof
yum install mariadb mariadb-server
systemctl enable php-fpm && systemctl restart php-fpm
systemctl enable mariadb && systemctl restart mariadb
systemctl enable nginx && systemctl restart nginx
[root@localhost ~]# unzip back.zip
[root@localhost ~]# mysql
MariaDB [(none)]> source /root/back/emlog.sql
[root@localhost ~]# cp -r /root/back/emlog/* /usr/share/nginx/html/2)检测openssl是否安装,没有安装进行安装
[root@localhost ~]# rpm -qa openssl openssl-devel
[root@localhost ~]# yum -y install openssl openssl-devel二:创建根证书CA
1:生成CA私钥
[root@localhost ~]# cd cert/
[root@localhost cert]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
.....................................................................................................................................................+++
.................+++
e is 65537 (0x10001)
[root@localhost cert]# ls
-rw-r--r-- 1 root root 1679 Dec 7 21:53 local.key2:生成CA证书请求
[root@localhost cert]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:BJ #省份
Locality Name (eg, city) [Default City]:BJ #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:ZC #部门
Common Name (eg, your name or your server's hostname) []:BLOG #主机名
Email Address []:4409749@qq.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhangjianzi #密码
An optional company name []:zhangjianzi #姓名
[root@localhost cert]# ls
-rw-r--r-- 1 root root 1115 Dec 7 21:55 local.csr
-rw-r--r-- 1 root root 1679 Dec 7 21:53 local.keyreq: 这是一个大命令,提供生成证书请求文件,验证证书,和创建根CA
-new: 表示新生成一个证书请求
-x509: 直接输出证书
-key: 生成证书请求时用到的私钥文件
-out:输出文件
3:生成CA根证书
这个生成CA证书的命令会让人迷惑
1.通过秘钥 生成证书请求文件
2.通过证书请求文件 生成最终的证书
-in 使用证书请求文件生成证书,-signkey 指定私钥,这是一个还没搞懂的参数
[root@localhost cert]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=ZC/CN=BLOG/emailAddress=4409749@qq.com
Getting Private key三:根据CA证书创建server端证书
1:生成server私匙
[root@localhost cert]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
................+++
...........................+++
e is 65537 (0x10001)
[root@localhost cert]# ls
-rw-r--r-- 1 root root 1273 Dec 7 21:56 local.crt
-rw-r--r-- 1 root root 1115 Dec 7 21:55 local.csr
-rw-r--r-- 1 root root 1679 Dec 7 21:53 local.key
-rw-r--r-- 1 root root 1679 Dec 7 21:57 my_server.key2:生成server证书请求
[root@localhost cert]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=ZC/CN=BLOG/emailAddress=4409749@qq.com
Getting Private key
[root@localhost cert]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................................................................................................................+++
.............................+++
e is 65537 (0x10001)
[root@localhost cert]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:ZC
Common Name (eg, your name or your server's hostname) []:BLOG
Email Address []:4409749@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:zhangjianzi
An optional company name []:zhangjianzi
[root@localhost cert]# ls
-rw-r--r-- 1 root root 1273 Dec 7 21:57 local.crt
-rw-r--r-- 1 root root 1115 Dec 7 21:55 local.csr
-rw-r--r-- 1 root root 1679 Dec 7 21:53 local.key
-rw-r--r-- 1 root root 1115 Dec 7 21:59 my_server.csr
-rw-r--r-- 1 root root 1679 Dec 7 21:58 my_server.key3:生成server证书
[root@localhost cert]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=Default Company Ltd/OU=ZC/CN=BLOG/emailAddress=4409749@qq.com
Getting CA Private Key四:配置nginx支持SSL
server {
listen 80;
server_name foolcloud.cn;
rewrite ^(.*) https://foolcloud.cn$1 permanent; #强制跳转https
}
server {
server_name foolcloud.cn;
listen 443 default ssl; #监听433端口
ssl_certificate /root/cert/local.crt; #server端证书位置
ssl_certificate_key /root/cert/local.key; #server端私钥位置
ssl_session_cache shared:SSL:1m; #缓存session会话
ssl_session_timeout 1s; # session会话 10分钟过期
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.php index.html;
# nginx配置伪静态emlog专用
if (!-e $request_filename)
{
rewrite ^/(.*)$ /index.php last;
}
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}