nginx之ssl认证(https访问)

news/2024/11/15 13:40:09/文章来源:https://www.cnblogs.com/cnblogsfc/p/14578157.html

ngx_http_ssl_module

ngx_http_ssl_module模块:
  ssl on | off;            为指定虚拟机启用HTTPS protocol, 建议用listen指令代替
  ssl_certificate file;         当前虚拟主机使用PEM格式的证书文件
  ssl_certificate_key file;         当前虚拟主机上与其证书匹配的私钥文件
  ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];        支持ssl协议版本,默认为后三个
  ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
    none:             通知客户端支持ssl session cache,但实际不支持
    builtin[:size]:          使用OpenSSL内建缓存,为每worker进程私有
    [shared:name:size]:      在各worker之间使用一个共享的缓存
  ssl_session_timeout time;      客户端连接可以复用ssl session cache中缓存的有效时长,默认5m

 

实现https访问站点

 

1、生成证书和私钥

[root@centos7.6 conf.d]# cd /etc/pki/tls/certs/[root@centos7.6 certs]# make magedu.crt               #借助系统自带功能生产证书
umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > magedu.key     #过程:自动生成私钥命令
Generating RSA private key, 2048 bit long modulus
......................+++
....+++
e is 65537 (0x10001)
Enter pass phrase:                                    #设置私钥加密口令,Makefile中指定了,-aes128,可以修改删除
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key magedu.key -x509 -days 365 -out magedu.crt        #过程:自动生成证书命令
Enter pass phrase for magedu.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                                                   #以下是生产证书填写的必要信息
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:magedu
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.magedu.org                 #必须和访问域名相同
Email Address []:

生产私钥结果:

[root@lvs-ka2 certs]# cat magedu.key                                  #私钥
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED                                                #加密
DEK-Info: AES-128-CBC,FC321643C6EFE861E1320535A80801EFRJJ+xZkXTvyW61PFfWs7E7Rst9tNHoag8V4Q0j3WVFsA8kVqQGxz3hLHiv50rgc2
2QlRNc1D4I6QX+hmHrX5/zn41J+JetAcAg8JnsR6ThYjXSFNupLW9cFs1O4uE0ZH
tpsICNFiqQjYgZ4wh9FSlw4BNyPgM1dQLL1mL5QuBFBj3DtZSsqD8tDNJ9AKQoNn
xomgep5FDC4wTeSmlsxrnvko5y5reEBjqnddawlKaotlNVI6kautkpHpoDJ6Oicp
tQczKF9+I5JbutvVXuscCBkybBbTtsMMajQY/QG95aglHQAC1zgjaABLyEqDMF41
g331QXjq+FtO63p3mnDeR4VTRlB72ahegJwLNKGgEsMuxJaaHp9Z1s2s6dc8B/F1
c1oaswdu1BRhoAy552gOGR3VY+diGxplR+ktNvl4sGuE81Kooeh395HMgGomY6aB
pBxGTbNMlC2E96EGA1ogGHqWxkTyNFKKqRY/fQxXvRRWYULdIfYe/Wkop55y1pNk
5EcxW+9+x5j8Z3jmj4E4X6KdusZkcrvflxZx4dopDhK7iDg2kqbfhXjvc4qZx7+H
pcuxIGBVmfJIi40xqo6uA30h8uHxkvOWAVYZMgk2gB2JJxpMdnqttNgW4aGMN2H9
mROQHeXBLEHSQrZGc7r/boutAGzxxXTK44+YN+N+ggVasA5lEN+LVU0550GYOuAp
R6di9oy5KtimrQuSR7lDS6IBtdquthRcR4fRHfCJCe+oSeIbokZd0n+YlaGJXmm/
MK9h4ze1CuyNylD7HC65c4EzgR4nvlNHSOWRxrlrfpspdoGQmi9gH/Ba7VStN+Xb
WFOEcHsP6f8uDZ2Wi6iaYp/e6LZBIJl2GQMfKBrmmVYKD3RoYY+hYffD7/z9AmPI
tRC/VSTtHSiSSGhzQlWrk5hLGjfiiRUWgzoFqkXjHAG4f0+fwfAE+wp1Ft9OpTze
n27Kv50ueWsxqpTwFj6Zq5ha8qlU5ISgcGVGoinSsDJMX8rZHBeZE5h4Ue0sXReb
bLO5/6sehzhCtVSXUWQ7b9UvQiQmIGSexErSndoMqTnsVfYznedWctO3zlmPccno
nJ15DVvTSFS1pMyfKSwtvDh/KoAUum5qB3V90ZZ5KhMGuA/ra/VLRDG62ydmKDlp
ehl6QoLs0CNSgx0hZ7eqvGMHDgjpX4E/9H16xYKO4fr9VSxsJwhZuPFB5hXP87Oj
vsk0RXrXZ2B48nTZBWBeMRQkFw7GneU3QIzYcPV5GA6laXcgsPiGIGcd3woW3Bl3
F7W35vtMSSwMuCmHFhvNj0189SxzoO78pOZrH0eCH42sc7hDRV6OCCsI6DBS0h4m
jqDRtAnS955Qf8NzIxW3O2+1ffZeFWM9Efm06OiQn0fjWLXLsdiDyOz/9r8fpjJY
TqsLoaKlXBVOkjFZY/QPFSHdc3eMpdFEpEi0GTBnSDATGNKoXetDezbby1K5TPEq
fL5zZA1YrSZDAMvcl37hfvrPEq7HbnzoThGqk0mi9cqrC5pL5d4yp6844M0MtkoZ
bfRQRhC/hEpI9/lg+WrUVD5j7ep5o+sp5HQtIp/0x8ZXD56XVDj6CmqHHe6xhe0j
-----END RSA PRIVATE KEY----

 生产解密的私钥:

[root@centos7.6 certs]# openssl rsa -in magedu.key -out magedu.org.key   #生成解密的私钥
Enter pass phrase for magedu.key:                                        #输入加密口令解密
writing RSA key
[root@centos7.6 certs]# ll-rw-------  1 root root 1330 Mar  7 14:11 magedu.crt
-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key                 #标准无加密私钥
[root@centos7.6 certs]# cat magedu.org.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA1E2airk0eCIxFhR9LrQQIutgLDk7qSUY+ilbCBzPMdkXO9P5
rqFCq84cRwxS+Mj2Q5BPGDc/piMMfe6CiRP5ihLOld73zV8NQcIa62LQzu72Klkm
EwUPBV2cq28Q2JwvAzUD74cz2xGvR3PXB48Vw3HmlIgGyOR/1O8eCt4ZZ+s4mo2v
gg6JnpAvUukfv4da1maw63xe1E2VAIW9opq8R1k/zUVHR70Xo3L3QwEAZyH9sUTF
KTeFqhLKa3r6qZbZTfmfd8OkVpCVym+xkDTfPwg+3DhrZAuEiJ8DsO7aXPd41BsL
v1U6jefrEb5nvDXEBzyte8Bbkr0BKZxL321RBQIDAQABAoIBAFiSn90sc5WDPlNl
7OwlN246IP+SSS/CSG9l/ZKe4lp7pdPSFiMjKDuhW+7QV3Vv8j4x4K3LrwRTLw0D
CvbBnKRcQFAKm/vUoiVDJBP8P/11eMImO1pIDAJDEe/8AF0+m+aMob22/I1zDVuU
GqwOqBfIV1i0f5AktKhTsob6LkNJ/lfM/8e4ZSfMLevTUc30bFZR32A7pgmg4vsW
SRaNtDvQa4PA6hsxqlUl5PyW8ur3pk6YY6M6XidV+8dmWJJRnRsIGD3SqONwKpKe
Zj/kc9xZrpxOKc6aNDvOVofJ5/603JmpggbgN8ANcZAImr9nA2Mi7RG/s6oWAPyJ
qk+lCSkCgYEA+3qeyLW19yBalbsD/gkn2laCvEMpgATzkwM7H4x/HCz2CBGN/C+v
HPnq24+g/0R+Zq8HuSXxTOxLDHQIm5dIzgS7PSDInDIAb4Q3GwO9C3NkFcUc8E0s
xBQzKRIK7kT5qJa/vqbGaJHbr3r2BEAvbswC8lDHGYuFYn0glAGh1c8CgYEA2B6v
S0YjAiJdnpye/QkQXTaYh/jfVG7sh/3EOJW3dDIWmR/WsqCy3S4lPCESOOH5P5Np
r93qlWFnnLvvYoeQW4BS27PG7hgoILSU5eMWP+kZ5i7misFxbEN8SsSjK6l2xQlp
DH0Jv8MJDZDh8SUVTmBWSTcZykKZi6l7JgSQNOsCgYBsMpzAlFXfJr9yro0QLpZD
/XawU2E2oGq/9OLqNwO1dq7AV/Uz7Lw2Bl0C7HADhE+yFFqJUYbZZsz/ZakScGu1
oBmDOmi1s1m2oTcoW1pp49LK/wztYvcAwgQlBotHasvTulBzUcQJ17+iZ5AT0h3W
WNZntVOEbSANePKcW3tqxwKBgCzEFl1KNuAvTCMZoBkbsocMUwX/OAteOqJknyt1
X52y7lljbe5sOQB1mYLd+s9Lh3xyxXaHShsNJRAjIY/QMsexSfh2QaN5333+ycTg
h/BPEW1Lk7d0IFFjnTBDkOTvYkmoDFlo4QcWmB52P0ba/pHQhK7/udjaeMGkJn0W
fuRnAoGAAyhxkjWXWa7L77xyCiWc8vwTLrOst5EFaVM9ADtCPMu4I9J5eS9KuTNX
aYVTBIaKY/KCL4XLwAxaHx7ZNZBd8V6m92S7o8nilyl/4HrkW51X5VXQO6JTC72p
mOzHyM+iB77NYlKF/TCQ7L0P1IaTRk6BCd01H/rP8s2gIkfaosE=
-----END RSA PRIVATE KEY-----
[root@centos7.6 certs]# mv magedu.crt magedu.org.crt                   #重名命证书
[root@centos7.6 certs]# ll-rw-------  1 root root 1766 Mar  7 14:09 magedu.key
-rw-------  1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r--  1 root root 1675 Mar  7 14:12 magedu.org.key

2、创建证书和私钥存放目录

[root@centos7.6 certs]# mkdir /apps/nginx4/ssl               #创建证书和私钥存放目录
[root@centos7.6 certs]# mv magedu.org.* /apps/nginx4/ssl/
[root@centos7.6 certs]# ll /apps/nginx4/ssl/
-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw-r--r-- 1 root root 1675 Mar  7 14:12 magedu.org.key
[root@centos7.6 certs]# chmod 600 /apps/nginx4/ssl/*
[root@centos7.6 certs]# ll /apps/nginx4/ssl/-rw------- 1 root root 1330 Mar  7 14:11 magedu.org.crt
-rw------- 1 root root 1675 Mar  7 14:12 magedu.org.key

3、创建https访问的roo目录:

[root@centos7.6 certs]# mkdir /data/ssl/
[root@centos7.6 certs]# echo /data/ssl/index.html >/data/ssl/index.html

4、配置https:http和https两个虚拟主机

此示例中,http和https访问方式是建立2个虚拟主机,它们的根目录不同

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {                                                     #单独的https虚拟主机 listen 443 ssl;server_name www.magedu.org;root /data/ssl/;#ssl on;                                             #1.15版本淘汰,改用在listen 设置ssl ssl_certificate /apps/nginx4/ssl/magedu.org.crt;     #指定证书ssl_certificate_key /apps/nginx4/ssl/magedu.org.key; #指定私钥ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;  #专有日志
}
server {                                                     #http虚拟主机,默认listen 80server_name www.magedu.org;root /data/site14/;access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;default_type text/html ;
gzip on;gzip_comp_level 6;gzip_min_length 64;gzip_vary on;gzip_types text/xml text/css application/javascript;
}

查看端口:

[root@centos7.6 certs]# ss -lnt
State       Recv-Q Send-Q                        Local Address:Port                  Peer Address:Port                               
LISTEN      0      128                                       *:80                               *:*                                  
LISTEN      0      128                                       *:443                              *:*  

验证:https访问:

 

 

到此,http,https是分开的连个虚拟主机,而且根目录不一样,显然不合理,实现http和https访问相同的资源

方法一:http和https 2个虚拟主机设置一样的根目录

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server {listen 443 ssl;server_name www.magedu.org; root /data/site14/;
        #ssl on;ssl_certificate /apps/nginx4/ssl/magedu.org.crt;ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
server {server_name www.magedu.org;root /data/site14/;access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;default_type text/html ;
gzip on;gzip_comp_level 6;gzip_min_length 64;gzip_vary on;gzip_types text/xml text/css application/javascript;

}

方法二:一个虚拟主机同时监听80和443端口

[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf 

server { listen 443 ssl;listen 80;server_name www.magedu.org;root /data/site14/;
        #ssl on;ssl_certificate /apps/nginx4/ssl/magedu.org.crt;ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log  access_json ;
}
#server {#       server_name www.magedu.org;
#       root /data/site14/;
#       access_log /apps/nginx4/logs/magedu.org.access.log  access_json ;
#       default_type text/html ;
#}

 

但是上边2种方法,不是标准的http到https的重写,可能输入网址是http而不是https,导致即使有https安全访问方式,也会出现由于客户端没有输入https而是http的访问能够正常访问

http到https重写,请查看rewrite配置

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.hqwc.cn/news/788971.html

如若内容造成侵权/违法违规/事实不符,请联系编程知识网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

nginx基于用户的访问控制

ngx_http_auth_basic_module模块实现基于用户的访问控制,使用basic机制进行用户认证  auth_basic string | off;  auth_basic_user_file file;Default: —  Context: http, server, location, limit_exceptlocation /admin/ {     auth_basic "Admin Area"…

nginx输出nginx的基本状态信息

输出nginx的基本状态信息模块:ngx_http_stub_status_module 输出信息示例:Active connections: 291 server accepts handled requests #下面三个数分别对应accepts,handled,requests 16630948 16630948 31070465Reading: 6 Writing: 179 Waiting: 106 A…

什么样的数据摆渡系统才是业务部门需要的?

业务部门是数据摆渡系统的使用方,但数据摆渡系统却是有IT部门负责采购的,很多IT采购数据摆渡系统后,发现业务部门不使用或者使用效果不好,在服务满意度上难以获得好评,因此,业务部门需要的才是关键。那么,什么样的数据摆渡系统才是业务部门需要的呢? 1、使用便捷:没有…

一本通题讲解:2059:【例3.11】买笔

​【题目描述】期末来临了,班长小Q决定将剩余班费xx元钱,用于购买若干支钢笔奖励给一些学习好、表现好的同学。已知商店里有三种钢笔,它们的单价为66元、55元和44元。小Q想买尽量多的笔(鼓励尽量多的同学),同时他又不想有剩余钱。请您编一程序,帮小Q制订出一种买笔的方案…

keepalived-状态邮件通知和定向日志输出

keepalived-状态邮件通知和定向日志输出说明1:当keepalived实例角色切换时,根据自定义邮件脚本,推送本地邮件通知说明2:当keepalived实例角色切换时,根据自定义邮件脚本,推送互联网邮件通知说明3:默认keepalive状态日志写入/var/log/messages文件 拓扑: 环境说明:1、单…

keepalived-lvs-DR

keepalived实现lvs高可用说明:lvs单实例 拓扑:环境说明: 1、client网关指向Router,跨网段访问lvs-VIP,需要指定正确网关和路由,如果client和Route之间还有其他路由或防火墙设备,网关设置直连路由IP 2、虚拟机模拟路由器,Router需要开启路由转发ip_forward 3、实验环境模…

LVS之NAT模式

LVS之NAT模式实现原理图: 拓扑图: 环境说明: 1、基于DNAT实现lvs,LVS需要开启ip_forward 2、lvs和RS之间可以跨路由 3、本实验基于虚拟机实验,client与VIP直连,不用配置网关;实际环境client和lvs之间有路由,client需要配置直连路由的为网关 4、client端无法ping通RS,…

MySQL联表查询

按功能分内连接等值连接 非等值连接 自连接外连接左外连接 右外连接 全外连接交叉连接1. 内连接(INNER JOIN) 获取所有的员工名和其对应的部门名 SELECT e.last_name, d.department_name FROM employees e INNER JOIN departments dON e.department_id = d.department_id;查询…

网络防火墙之SNAT

网络防火墙 NAT NAT: network address translationPREROUTING,INPUT,OUTPUT,POSTROUTING请求报文:修改源/目标IP,由定义如何修改响应报文:修改源/目标IP,根据跟踪机制自动实现 SNAT:source NAT POSTROUTING, INPUT让本地网络中的主机通过某一特定地址访问外部网络,实现…

网络防火墙之自定义chain

网络防火墙 自定义链 链管理:-N:new, 自定义一条新的规则链-X:delete,删除自定义的空的规则链-P:Policy,设置默认策略;对filter表中的链而言,其默认策略有:ACCEPT:接受DROP:丢弃-E:重命名自定义链;引用计数不为0的自定义链不能够被重命名,也不能被删除iptables/n…

网络防火墙之DNAT

网络防火墙 NAT NAT: network address translationPREROUTING,INPUT,OUTPUT,POSTROUTING请求报文:修改源/目标IP,由定义如何修改响应报文:修改源/目标IP,根据跟踪机制自动实现DNAT:destination NAT PREROUTING , OUTPUT把本地网络中的主机上的某服务开放给外部网络访问…

Windows 10 on ARM, version 22H2 (updated Aug 2024) ARM64 AArch64 中文版、英文版下载

Windows 10 on ARM, version 22H2 (updated Aug 2024) ARM64 AArch64 中文版、英文版下载Windows 10 on ARM, version 22H2 (updated Aug 2024) ARM64 AArch64 中文版、英文版下载 基于 ARM 的 Windows 10 请访问原文链接:https://sysin.org/blog/windows-10-arm/,查看最新版…