HTTPS基本概述
为什么需要使用HTTPS, 因为HTTP不安全
1.传输数据被中间人盗用, 信息泄露2.数据内容劫持, 篡改配置HTTPS前预备知识
HTTPS证书购买选择1.保护1个域名 www2.保护5个域名 www images cdn test m3.通配符域名 *.oldboy.comHTTPS注意事项1.https不支持三级域名解析2.Https不支持续费,证书到期需重新申请进行替换3.Https显示×××, 因为网站代码中包含http的不安全连接。HTTPS证书申请
配置苹果要求的证书1.服务器所有连接使用TLS1.2以上版本(openssl 1.0.2)2.HTTPS证书必须使用SHA256以上哈希算法签名3.HTTPS证书必须使用RSA 2048位或ECC256位以上公钥算法4.使用前向加密技术秘钥生成操作步骤1.生成key密钥2.生成证书签名请求文件(csr文件)3.生成证书签名文件(CA文件)1.检查当前环境
//openssl必须是1.0.2[root@Nginx ~]# openssl versionOpenSSL 1.0.2k-fips ?26 Jan 2017//nginx必须有ssl模块[root@Nginx ~]# nginx -V --with-http_ssl_module[root@Nginx ~]# mkdir /etc/nginx/ssl_key -p[root@Nginx ~]# cd /etc/nginx/ssl_key2.使用openssl充当CA权威机构创建私钥(生产不可能使用此方式生成证书,不被互联网CA权威承认的黑户证书)
[root@Nginx ssh_key]# openssl genrsa -idea -out server.key 2048Generating RSA private key, 2048 bit long modulus.....+++//记住配置密码, 我这里是1234Enter pass phrase for server.key:Verifying - Enter pass phrase for server.key:3.生成自签证书,同时去掉私钥的密码
[root@Nginx ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crtCountry Name (2 letter code) [XX]:CNState or Province Name (full name) []:WHLocality Name (eg, city) [Default City]:WHOrganization Name (eg, company) [Default Company Ltd]:edu ???Organizational Unit Name (eg, section) []:SACommon Name (eg, your name or your server‘s hostname) []:bgxEmail Address []:bgx@foxmail.com# req ?-->用于创建新的证书# new ?-->表示创建的是新证书# x509 -->表示定义证书的格式为标准格式# key ?-->表示调用的私钥文件信息# out ?-->表示输出证书文件信息# days -->表示证书的有效期HTTPS配置场景
1.HTTPS配置语法
Syntax: ssl on | off;Default: ssl off;Context: http, serverSyntax: ssl_certificate file;Default: —Context: http, serverSyntax: ssl_certificate_key file;Default: —Context: http, server2.配置Nginx支持Https实例
[root@Nginx ~]# cat /etc/nginx/conf.d/ssl.confserver { ???listen 443; ???server_name localhost; ???ssl on; ???ssl_certificate ??ssl_key/server.crt; ???ssl_certificate_key ?ssl_key/server.key; ???location / { ???????root /soft/code; ???????index index.html index.htm; ???????access_log /logs/ssl.log main; ???}}3.测试访问, 由于该证书非第三方权威机构颁发,而是我们自己签发的,所以浏览器会警告
HTTPS强制跳转
以上配置如果用户忘记在浏览器地址栏输入https://那么将不会跳转至https, 那么需要将访问http强制跳转https
1.配置Https强制跳转http
[root@Nginx ~]# cat /etc/nginx/conf.d/ssl.conf server { ???listen 443; ???server_name bgx.com; ???index index.html index.htm; ???ssl on; ???ssl_certificate ??ssl_key/server.crt; ???ssl_certificate_key ?ssl_key/server.key; ???location / { ???????root /code; ???}}server { ???????listen 80; ???????server_name bgx.com; ???????rewrite ^(.*) https://$server_name$1 redirect; ???????#return 302 https://$server_name$request_uri;}2.检查是否支持苹果要求ATS协议
//仅能在苹果终端上使用$ nscurl --ats-diagnostics --verbose https://192.168.69.113HTTPS配置案例
1.实战单台web服务配置HTTPS
# 1.准备文件[root@Nginx ~]# mkdir /etc/nginx/ssl_key -p[root@Nginx ~]# cd /etc/nginx/ssl_key[root@Nginx ~]# openssl genrsa -idea -out server.key 2048[root@Nginx ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt# 2.配置nginx[root@web03 conf.d]# cat https.conf server { ???listen 443; ???server_name s.oldboy.com; ???ssl on; ???ssl_certificate ??ssl_key/server.crt; ???ssl_certificate_key ?ssl_key/server.key; ???location / { ???????root /code; ???????index index.html; ???}}server { ???listen 80; ???server_name s.oldboy.com; ???rewrite (.*) https://$server_name$1 redirect; ???#return 302 https://$server_name$request_uri;}2.实战Nginx负载均衡+Nginx WEB配置HTTPS
###注意:ssl证书使用通配符,生产必须统一,如果是自己签发证书可以随意使用(黑户)1.环境准备角色 ?????外网IP(NAT) ??????内网IP(LAN) ??????服务lb01 ???eth0:10.0.0.5 ??eth1:172.16.1.5 ???nginx-proxyweb01 ??eth0:10.0.0.7 ??eth1:172.16.1.7 ????nginx-web01web02 ??eth0:10.0.0.8 ??eth1:172.16.1.8 ????nginx-web022.先配置后端的所有web节点, 如下操作,统一配置//生成证书(仅生成一次即可, 其他机器拷贝)[root@web01 ~]# mkdir /etc/nginx/ssl_key -p[root@web01 ~]# cd /etc/nginx/ssl_key[root@web01 ~]# openssl genrsa -idea -out server.key 2048[root@web01 ~]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt//配置后端节点通过https方式访问,如果该节点不直接对用户访问提供服务,则不需要启动http端口[root@web01 conf.d]# cat blog.oldboy.com.conf server { ???????listen 443; ???????server_name blog.oldboy.com; ???????root /code/wordpress; ???????index index.php index.html; ???????ssl on; ???????ssl_certificate ?ssl_key/server.crt; ???????ssl_certificate_key ?ssl_key/server.key; ???????location ~ \.php$ { ???????root /code/wordpress; ???????????????fastcgi_pass ??127.0.0.1:9000; ???????????????fastcgi_index ?index.php; ???????????????fastcgi_param ?SCRIPT_FILENAME ?$document_root$fastcgi_script_name; ???????????????include ???????fastcgi_params; ???????}}3.配置第二台web节点[root@web01 ~]# scp -rp /etc/nginx/ssl_key/ root@172.16.1.8:/etc/nginx/ ?[root@web01 ~]# scp -rp /etc/nginx/conf.d/ root@172.16.1.8:/etc/nginx/4.重启两台后端web节点Nginx[root@web01 ~]# systemctl restart nginx[root@web02 ~]# systemctl restart nginx5.拷贝web上的ssl证书至Proxy[root@web01 ~]# scp -rp /etc/nginx/ssl_key/ root@172.16.1.5:/etc/nginx/6.配置Nginx负载均衡调度[root@lb01 ~]# cat /etc/nginx/conf.d/proxy.conf #必须修改后端监听资源池为443端口upstream site { ???server 172.16.1.7:443 max_fails=1 fail_timeout=60s; ???server 172.16.1.8:443 max_fails=1 fail_timeout=60s;}#接收用户https请求, 将请求内容抛至后端web节点server { ???listen 443; ???server_name blog.oldboy.com; ???ssl on; ???ssl_certificate ?ssl_key/server.crt; ???ssl_certificate_key ?ssl_key/server.key; ???location / { ???????proxy_pass https://site; ???????include proxy_params; ???}}#用户通过http请求跳转至httpsserver { ???listen 80; ???server_name blog.oldboy.com; ???return 302 https://$server_name$request_uri;}7.重启Proxy Nginx[root@lb01 ~]# systemctl restart nginx8.wordpress早期安装如果是使用http方式, 那开启https后会导致wordpress出现破图或加载不全的情况。 ???建议: ???????1.在安装wordpress之前就配置好https ???????2.在wordpress后台管理页面, 设置->常规->修改(WordPress地址以及站点地址)为 https://问题:
1.负载监听80端口,跳转到443,然后通过proxy_pass代理 转发到upstream模块到后端的web节点。2.上面这种方式后端的web监听的是443端口,负载里的upstream配置也是443,3.当负载通过443端口连接后端web时要通过https加密,访问速度没有http快,因为https需要加密解决方案:
1.我们可以在后端web直接监听80端口 ,然后在负载上的upstream里把后端的web监听端口也改成80即可! 公有云的SLB+ECS 后端监听的也是80端口HTTPS公有云实践
在云上签发各品牌数字证书,实现网站HTTPS化,使网站可信,防劫持、防篡改、防监听。并进行统一生命周期管理,简化证书部署,一键分发到云上产品
上传阿里云证书, 并解压
[root@Nginx ssl_key]# rz rz waiting to receive.Starting zmodem transfer. ?Press Ctrl+C to cancel.Transferring 1524377920931.zip... ?100% ??????3 KB ??????3 KB/sec ???00:00:01 ??????0 Errors//解压[root@Nginx ssl_key]# unzip 1524377920931.zip配置nginx https
[root@Nginx conf.d]# cat ssl.nginx.bjstack.com.confserver { ???listen 443; ???server_name nginx.bjstack.com; ???ssl on; ???ssl_session_timeout 10m; ???ssl_certificate ssl_key/1524377920931.pem; ???ssl_certificate_key ssl_key/1524377920931.key; ???ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ???ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ???ssl_prefer_server_ciphers on; ???location / { ???????root /soft/code; ???????index index.html index.htm; ???}}server { ???????listen 80; ???????server_name nginx.bjstack.com; ???????rewrite ^(.*) https://$server_name$1 redirect;}测试访问
使用腾讯云ATS检测工具检查是否满足苹果IOS要求
Https+SLB+ESC实践
Nginx HTTPS
原文地址:http://blog.51cto.com/13528471/2295976