简介
基本概述
SSL
SSL是安全套接层。
主要用于认证用户和服务器,确保数据发送到正确的客户机和服务器上。
SSL可以加密数据,防止数据中途被窃取。
SSL也可以维护数据的完整性,确保数据在传输过程中不被改变。
HTTPS
HTTPS就是基于SSL来实现的安全通信。
证书
证书用于保证密钥的合法性。
证书的主体可以是用户、服务、计算机等。
证书的格式准信X.509标准。
数字证书包含如下信息:
- 使用者的公钥值;
- 使用者标识信息(如名称和电子邮件地址);
- 有效期(证书的有效时间);
- 颁发者表示信息;
- 颁发者的数字签名;
- 注意:数字证书由权威公正的第三方机构签发。
小知识
- HTTPS证书的选择
- 专业版OV型证书,不显示企业名称
- 高级版EV型证书,显示企业名称
- HTTPS证书购买选择
- 通配符域名,如:*.o-learn.cn
- 保护域名,如:www.baidu.com
- HTTPS注意事项
- HTTPS不支持三级域名解析;
- HTTPS不支持续费,证书到期后需要重新申请并进行替换;
- HTTPS显示绿色,表示整个网站的URL都是HTTPS的;
- HTTPS显示黄色,表示网站中包含HTTP的不安全连接;
- HTTPS显示红色,表示证书过期或者证书是假的;
配置场景
应用
申请证书
私有证书
- 检查OpenSSL工具
- 检查是否安装
openssl --version
- 如未安装,以下命令安装
yum install openssl openssl-devel
- 检查nginx的ssl模块
nginx -V 2>&1 | grep ssl
#with-http_ssl_module
- 生成密钥
- 创建密钥目录
mkdir -p /www/ssl_key
cd /www/ssl_key
- 生成密钥
openssl genrsa -des3 -out wang_mingqu_com.key 1024# Generating RSA private key, 1024 bit long modulus
# ...++++++
# ..................................................................++++++
# e is 65537 (0x10001)
# Enter pass phrase for https.key: 123456
# Verifying - Enter pass phrase for https.key: 123456
- 删除私钥的密码
openssl rsa -in wang_mingqu_com.key -out wang_mingqu_com.key# Enter pass phrase for https.key: 123456
# writing RSA key
- 生成证书
- 创建签名请求证书
openssl req -new -key wang_mingqu_com.key -out wang_mingqu_com.csr# You are about to be asked to enter information that will be incorporated
# into your certificate request.
# What you are about to enter is what is called a Distinguished Name or a DN.
# There are quite a few fields but you can leave some blank
# For some fields there will be a default value,
# If you enter '.', the field will be left blank.
# -----
# Country Name (2 letter code) [XX]:CN
# State or Province Name (full name) []:HeNan
# Locality Name (eg, city) [Default City]:ZhengZhou
# Organization Name (eg, company) [Default Company Ltd]:MingQuKeJi
# Organizational Unit Name (eg, section) []:YunWeiBu
# Common Name (eg, your name or your server's hostname) []:wang.mingqu.com
# Email Address []:15515190288@163.com# Please enter the following 'extra' attributes
# to be sent with your certificate request
# A challenge password []:
# An optional company name []:
- 生成SSL证书
openssl x509 -req -days 365 -in wang_mingqu_com.csr -signkey wang_mingqu_com.key -out wang_mingqu_com.crt# Signature ok
# subject=/C=CN/ST=HeNan/L=ZhengZhou/O=MingQuKeJi/OU=YunWeiBu/CN=wang.mingqu.com/emailAddress=15515190288@163.com
# Getting Private key
- 查看证书和密钥
ll /www/ssl_key/
total 28
-rw-r--r-- 1 root root 981 Feb 26 16:36 wang_mingqu_com.crt
-rw-r--r-- 1 root root 716 Feb 26 16:32 wang_mingqu_com.csr
-rw-r--r-- 1 root root 887 Feb 26 16:30 wang_mingqu_com.key
公网证书
配置HTTPS
- 创建证书存放目录
mkdir -p /etc/nginx/ssl_key
cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/
cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/
chown -R nginx:nginx /etc/nginx/ssl_key/
- 编辑nginx配置文件
路径:/etc/nginx/conf.d/wangmingqu.conf
server {listen 443 ssl;server_name wang.mingqu.com;charset utf-8;#配置https证书#ssl on; 新版本nginx中无需添加此行。#证书的存放路径ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt;ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key;#证书的缓存有效期ssl_session_timeout 5m;#证书的加密算法ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;#安全链接可选的加密协议ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#使用服务器端的首选算法ssl_prefer_server_ciphers on;location / {root /www/wangmingqu/html;index index.html index.htm;}
}#跳转HTTPS
server {listen 80;server_name wang.mingqu.com;charset utf-8;#server_name:表示访问的域名,也可以使用变量$host;#server_name,跟定义的配置文件的server_name有关;#host,则是用户输入的内容;#request_uri:表示访问时域名后所有内容。rewrite .* https://$server_name$request_uri redirect;##写法二:#rewrite .* https://$host$request_uri redirect;##写法三:#rewrite (.*) https://$server_name$1 redirect;
}
- 检查配置
nginx -t
systemctl reload nginx
- 访问测试
负载均衡HTTPS跳转
主机规划
| 主机名称 | 主机IP | 服务 |
|---|---|---|
| k8s-master-1 | 192.168.108.129 | Nginx Proxy |
| k8s-master-2 | 192.168.108.130 | Nginx Web1 |
| k8s-master-3 | 192.168.108.131 | Nginx Web2 |
配置站点
注意
移除其他测试配置文件
cd /etc/nginx/conf.d/
rename .conf .bak *.conf
web01配置
- 测试数据
mkdir -p /www/html/
echo "主机:192.168.108.130" > /www/html/index.html
chown -R nginx:nginx /www/html
- 配置nginx
- 主配置文件
配置文件路径:/etc/nginx/nginx.conf
user nginx;
worker_processes auto;error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;events {worker_connections 1024;
}http {include /etc/nginx/mime.types;default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;#tcp_nopush on;keepalive_timeout 65;#gzip on;include /etc/nginx/conf.d/*.conf;
}
- 子配置文件
配置文件路径:/etc/nginx/conf.d/web01.conf
server {listen 443;server_name wang.mingqu.com;chartset utf-8;location / {root /www/html/;index index.html index.htm;}
}
- 验证nginx服务
- 重启服务
nginx -t
systemctl restart nginx
- 验证服务
curl -iv 127.0.0.1:443
web02配置
- 测试数据
mkdir -p /www/html/
echo "主机:192.168.108.131" > /www/html/index.html
chown -R nginx:nginx /www/html
- 配置nginx
- 主配置文件
配置文件路径:/etc/nginx/nginx.conf
user nginx;
worker_processes auto;error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;events {worker_connections 1024;
}http {include /etc/nginx/mime.types;default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;#tcp_nopush on;keepalive_timeout 65;#gzip on;include /etc/nginx/conf.d/*.conf;
}
- 子配置文件
配置文件路径:/etc/nginx/conf.d/web02.conf
server {listen 443;server_name wang.mingqu.com;charset utf-8;location / {root /www/html/;index index.html index.htm;}
}
- 验证nginx服务
- 重启服务
nginx -t
systemctl restart nginx
- 验证服务
curl -iv 127.0.0.1:443
配置负载
注意
移除其他测试配置文件
cd /etc/nginx/conf.d/
rename .conf .bak *.conf
测试数据
mkdir -p /www/html/localhost
echo "主机:192.168.108.129" > /www/html/localhost/index.html
chown -R nginx:nginx /www/html
主配置文件
配置文件路径:/etc/nginx/nginx.conf
user nginx;
worker_processes auto;error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;events {worker_connections 1024;
}http {include /etc/nginx/mime.types;default_type application/octet-stream;log_format main '$remote_addr - $remote_user [$time_local] "$request" ''$status $body_bytes_sent "$http_referer" ''"$http_user_agent" "$http_x_forwarded_for"';access_log /var/log/nginx/access.log main;sendfile on;#tcp_nopush on;rewrite_log on;keepalive_timeout 65;#gzip on;include /etc/nginx/conf.d/*.conf;
}
子配置文件
配置文件路径:/etc/nginx/conf.d/proxy.conf
upstream web {server 192.168.108.130:443;server 192.168.108.131:443;
}server {listen 80;server_name wang.mingqu.com;charset utf-8;location / {proxy_pass http://web;}location /localhost {root /www/html/;index index.html index.htm;}
}
验证服务
- 重启nginx
nginx -t
systemctl restart nginx
- 验证nginx
- 负载均衡本地服务
- 负载均衡后端服务
HTTPS跳转配置
证书文件
mkdir -p /etc/nginx/ssl_key
cp /www/ssl_key/wang_mingqu_com.crt /etc/nginx/ssl_key/
cp /www/ssl_key/wang_mingqu_com.key /etc/nginx/ssl_key/
chown -R nginx:nginx /etc/nginx/ssl_key/
配置文件调整
upstream web {server 192.168.108.130:443;server 192.168.108.131:443;
}server {listen 443 ssl;server_name wang.mingqu.com;charset utf-8;#配置https证书#ssl on; 新版本nginx中无需添加此行。#证书的存放路径ssl_certificate /etc/nginx/ssl_key/wang_mingqu_com.crt;ssl_certificate_key /etc/nginx/ssl_key/wang_mingqu_com.key;#证书的缓存有效期ssl_session_timeout 5m;#证书的加密算法ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;#安全链接可选的加密协议ssl_protocols TLSv1 TLSv1.1 TLSv1.2;#使用服务器端的首选算法ssl_prefer_server_ciphers on;location / {proxy_pass http://web;include proxy_params;}
}#跳转HTTPS
server {listen 80;server_name wang.mingqu.com;charset utf-8;#server_name:表示访问的域名,也可以使用变量$host;#server_name,跟定义的配置文件的server_name有关;#host,则是用户输入的内容;#request_uri:表示访问时域名后所有内容。rewrite .* https://$server_name$request_uri redirect;##写法二:#rewrite .* https://$host$request_uri redirect;##写法三:#rewrite (.*) https://$server_name$1 redirect;
}
测试HTTPS跳转
