概述
什么是https?
在生产环境中,网站的访问一般都是使用https加密的,本文主要介绍使用nginx配置https。
配置步骤主要有以下几步:
- 准备域名
- 申请域名和证书
- 配置web服务器
- 配置http跳转到https
实操配置
申请域名
可以去阿里云官方购买https://wanwang.aliyun.com/newactivity/mid-yearpromotions?
申请证书
可以通过官方的CA机构购买,我这里仅仅只是测试,则使用openssl生成证书
# 创建私钥
[root@master ~/ca]# openssl genrsa -out www.huangsir-666.com.key 2048
# 生成证书签名请求(CSR,.csr)
[root@master ~/ca]# openssl req -new -key www.huangsir-666.com.key -out www.huangsir-666.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:huangsir Tech
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.huangsir-666.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
# 生成.crt自签名证书
[root@master ~/ca]# openssl x509 -req -sha256 -days 365 -in www.huangsir-666.com.csr -signkey www.huangsir-666.com.key -out www.huangsir-666.com.crt
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = huangsir Tech, OU = IT, CN = www.huangsir-666.com, emailAddress = [email protected]
[root@master ~/ca]# ll
total 12
-rw-r--r-- 1 root root 1354 Jun 6 13:58 www.huangsir-666.com.crt # 公钥证书
-rw-r--r-- 1 root root 1074 Jun 6 13:57 www.huangsir-666.com.csr
-rw------- 1 root root 1704 Jun 6 13:55 www.huangsir-666.com.key # 私钥证书配置nginx
将证书迁移放置到/etc/ssl/nginx目录下
[root@master /etc/nginx/conf.d]# mkdir -p /etc/ssl/nginx
[root@master ~]# mv ca/www.huangsir-666.com.crt ca/www.huangsir-666.com.key /etc/ssl/nginx/配置nginx
[root@master ~]# cat /etc/nginx/conf.d/demo01.conf
server{
listen 443 ssl;
server_name www.huangsir-666.com;
# 配置公钥证书
ssl_certificate /etc/ssl/nginx/www.huangsir-666.com.crt;
# 配置私钥证书
ssl_certificate_key /etc/ssl/nginx/www.huangsir-666.com.key;
# 推荐的 SSL 协议和加密算法(安全配置)
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
root /data00/nginx/;
location / {
index index.html;
}
}
# http跳转到https
server {
listen 80;
server_name www.huangsir-666.com;
return 301 https://www.huangsir-666.com$request_uri;
}重启nginx
# 检查语法
[root@master ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
# 重启nginx
[root@master ~]# systemctl restart nginx添加hosts解析,进行访问测试
在本地找到hosts文件,添加下列内容:
10.37.97.56 www.huangsir-666.com访问https://www.huangsir-666.com
这里提示不安全,是因为我们的证书是自签名证书,属于是正常情况