15.Nginx搭建https并配置ssl证书

[toc]

nginx实现https

https的作用

数据加密传输；
OSI七层模型中：加密或解密

https注意事项

1. 证书过期无法续费
2. 三级域名无法使用https www.xxx.com main.m.taobao.com
3. 注意证书的颜色
   • 绿色 全站URL都是https加密
   • 红色 假证书或者证书过期
   • 黄色 并非全站URL都是https加密的

证书购买

• 单域名
  • 只能单个域名使用
    • www.xxx.com
• 混合域名
  • 多个域名使用该证书
    • www.xxx,com
    • www.yyy.com
• 泛域名
  • 通配符域名证书
    • *.xxx.com
      • blog.xxx.com
      • picuure.xxx.com
      • moveie.xxx.com
      • gam.xxx.com
      • rw.xxx.com

模拟网站被劫持篡改

搭建网页(web01)

# 编辑网页配置文件
vim /etc/nginx/conf.d/test.conf

server {
	listen 80;
	server_name www.xxx.com;
	root /code;
	index index.html;
	charset utf-8;
}

# 部署网页代码
vim /code/index.html

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>我是title</title>
</head>
<body>
<article>
  <header>
    <h1>我是Article</h1>
    <p>创建时间：<time pubdate="pubdate">2018/8/10</time></p>
  </header>
  <p>
    <b>Aticle</b>第一次用h5写文章,好他*的紧张...
  </p>
  <footer>
    <p><small>版权所有</small></p>
  </footer>
</article>
</body>
</html>

# 检查并重启nginx
nginx -t
systemctl restart nginx

劫持并修改网页(web02)

# 编辑网页配置文件
vim /etc/nginx/conf.d/jiechi_test.conf
upstream jiechi {
        server 10.0.0.7:80;
}
 
server {
        listen 80;
        server_name www.xxx.com;
 
        location / {
                proxy_pass http://jiechi;
                proxy_set_header Host $http_host;
                sub_filter '<title>我是title' '<title>hcltitle';
                sub_filter '<small>版权所有' ' <small>hcl版权所有';
        }
}

# 检查并重启nginx
nginx -t
systemctl restart nginx

申请ssl证书并配置https

跟CA机构申请证书

# CA机构申请证书
openssl genrsa -idea -out server.key 2048

Generating RSA private key, 2048 bit long modulus
................................................................................
..................................................+++
.............................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 1234
Verifying - Enter pass phrase for server.key: 1234

# 当前所在目录会生成证书
ll
total 4
-rw-r--r-- 1 root root 1747 Jan 11 19:02 server.key

# 跟ca机构填写个人信息，签发证书
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
## 语法解析
req --> 用于创建新的证书
new --> 表示创建的是新证书
x509 --> 表示定义证书的格式为标准格式
key --> 表示调用的私钥文件信息
out --> 表示输出证书文件信息
days --> 表示证书的有效期

Generating a 2048 bit RSA private key
..................+++
............................................................+++
writing new private key to 'server,key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
# 国家代码 简写 2个字符
Country Name (2 letter code) [XX]:CN
# 所在省
State or Province Name (full name) []:shanghai
# 城市名称
Locality Name (eg, city) [Default City]:shanghai
# 公司名字
Organization Name (eg, company) [Default Company Ltd]:oldboy
# 公司名字
Organizational Unit Name (eg, section) []:oldboy
# 域名
Common Name (eg, your name or your server's hostname) []:test.xxx.com
# 邮箱
Email Address []:123@qq.com
# 查看证书文件
-rw-r--r-- 1 root root 1411 Jan 11 19:08 server.crt
-rw-r--r-- 1 root root 1704 Jan 11 19:08 server.key

配置ssl证书语法

#启动ssl功能
Syntax: ssl on | off;
Default: ssl off;
Context: http,server

#证书文件
Syntax: ssl_certificate file;
Default: -
Context: http,server

#私钥文件
Syntax: ssl_certificate_key fil;
Default: -
Context: http,server

修改nginx配置文件

# 创建证书存放目录
mkdir /etc/nginx/ssl

# 移动证书文件存放位置
mv server.* /etc/nginx/ssl/

# 配置nginx证书
vim /etc/nginx/conf.d/test.conf

## 老语法
server{
	listen 443;
	server_name test.xxx.com;
	root /code/test;
	index index.html;
	ssl on;
	ssl_certificate ssl/server.crt;
	ssl_certificate_key ssl/server.key;
}

## 新语法
server{
	listen 443 ssl;
	server_name test.xxx.com;
	root /code/test;
	index index.html;
	ssl_certificate ssl/server.crt;
	ssl_certificate_key ssl/server.key;
}

# 重启nginx
systemctl restart nginx

# 浏览器访问
https://test.xxx.com

使用rewrite去跳转(lb01)

# 编辑rewrite配置文件
vim /etc/nginx/conf.d/rewrite.conf

server{
	listen 80;
	server_name test.xxx.com;
	rewrite (.*) https://test.xxx.com$1 redirect;
}
server{
	listen 443 ssl;
	server_name test.xxx.com;
	root /code/test;
	index index.html;
	ssl_certificate ssl/server.crt;
	ssl_certificate_key ssl/server.key;
}

多台nginx配置ssl证书

搭建web网页(web01 web02)

# 编辑网页配置文件
vim /etc/nginx/conf.d/test.conf

server {
	listen 80;
	server_name test.xxx.com;
	root /code/test;
	index index.html;
}

搭建wordpress(web03)

# 搭建wordpress网页

# 生成证书
openssl gensa -idea -out 20230111_blog.xxx.com.key 2048
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout 20230111_blogxxx.com.key -out 20230111_blog.xxx.com.crt

# 创建证书存放目录
mkdir /etc/nginx/ssl

# 移动证书文件存放位置
mv 20230111_blog.xxx.com.* /etc/nginx/ssl

负载均衡配置证书(lb01)

# 负载均衡配置证书
vim /etc/nginx/cong.d/test.conf

upstream test.xxx.com {
	server 172.16.1.7;
	server 172.16.1.8;
}
server {
	listen 80;
	server_name test.xxx.com;
	rewrite (.*) https://test.xxx.com$1 redirect;
}
server {
	listen 443 ssl;
	server_name test.xxx.com
	ssl_certificate ssl/server.crt;
	ssl_certificate_key ssl/server.key;

	location / {
		proxy_pass http:test.xxx.com;
		include proxy_pass;
	}
}

# 将证书放在负载均衡服务器上/etc/nginx/ssl
mkdir /etc/nginx/ssl
web01上 scp /etc/nginx/ssl/* 10.0.0.5:/etc/nginx/ssl

免费证书领取