ngx_http_ssl_module
ngx_http_ssl_module模块:
ssl on | off; 为指定虚拟机启用HTTPS protocol, 建议用listen指令代替
ssl_certificate file; 当前虚拟主机使用PEM格式的证书文件
ssl_certificate_key file; 当前虚拟主机上与其证书匹配的私钥文件
ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]; 支持ssl协议版本,默认为后三个
ssl_session_cache off | none | [builtin[:size]] [shared:name:size];
none: 通知客户端支持ssl session cache,但实际不支持
builtin[:size]: 使用OpenSSL内建缓存,为每worker进程私有
[shared:name:size]: 在各worker之间使用一个共享的缓存
ssl_session_timeout time; 客户端连接可以复用ssl session cache中缓存的有效时长,默认5m
实现https访问站点
1、生成证书和私钥
[root@centos7.6 conf.d]# cd /etc/pki/tls/certs/[root@centos7.6 certs]# make magedu.crt #借助系统自带功能生产证书 umask 77 ; \ /usr/bin/openssl genrsa -aes128 2048 > magedu.key #过程:自动生成私钥命令 Generating RSA private key, 2048 bit long modulus ......................+++ ....+++ e is 65537 (0x10001) Enter pass phrase: #设置私钥加密口令,Makefile中指定了,-aes128,可以修改删除 Verifying - Enter pass phrase: umask 77 ; \ /usr/bin/openssl req -utf8 -new -key magedu.key -x509 -days 365 -out magedu.crt #过程:自动生成证书命令 Enter pass phrase for magedu.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #以下是生产证书填写的必要信息 State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:magedu Organizational Unit Name (eg, section) []:opt Common Name (eg, your name or your server's hostname) []:www.magedu.org #必须和访问域名相同 Email Address []:
生产私钥结果:
[root@lvs-ka2 certs]# cat magedu.key #私钥 -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED #加密 DEK-Info: AES-128-CBC,FC321643C6EFE861E1320535A80801EFRJJ+xZkXTvyW61PFfWs7E7Rst9tNHoag8V4Q0j3WVFsA8kVqQGxz3hLHiv50rgc2 2QlRNc1D4I6QX+hmHrX5/zn41J+JetAcAg8JnsR6ThYjXSFNupLW9cFs1O4uE0ZH tpsICNFiqQjYgZ4wh9FSlw4BNyPgM1dQLL1mL5QuBFBj3DtZSsqD8tDNJ9AKQoNn xomgep5FDC4wTeSmlsxrnvko5y5reEBjqnddawlKaotlNVI6kautkpHpoDJ6Oicp tQczKF9+I5JbutvVXuscCBkybBbTtsMMajQY/QG95aglHQAC1zgjaABLyEqDMF41 g331QXjq+FtO63p3mnDeR4VTRlB72ahegJwLNKGgEsMuxJaaHp9Z1s2s6dc8B/F1 c1oaswdu1BRhoAy552gOGR3VY+diGxplR+ktNvl4sGuE81Kooeh395HMgGomY6aB pBxGTbNMlC2E96EGA1ogGHqWxkTyNFKKqRY/fQxXvRRWYULdIfYe/Wkop55y1pNk 5EcxW+9+x5j8Z3jmj4E4X6KdusZkcrvflxZx4dopDhK7iDg2kqbfhXjvc4qZx7+H pcuxIGBVmfJIi40xqo6uA30h8uHxkvOWAVYZMgk2gB2JJxpMdnqttNgW4aGMN2H9 mROQHeXBLEHSQrZGc7r/boutAGzxxXTK44+YN+N+ggVasA5lEN+LVU0550GYOuAp R6di9oy5KtimrQuSR7lDS6IBtdquthRcR4fRHfCJCe+oSeIbokZd0n+YlaGJXmm/ MK9h4ze1CuyNylD7HC65c4EzgR4nvlNHSOWRxrlrfpspdoGQmi9gH/Ba7VStN+Xb WFOEcHsP6f8uDZ2Wi6iaYp/e6LZBIJl2GQMfKBrmmVYKD3RoYY+hYffD7/z9AmPI tRC/VSTtHSiSSGhzQlWrk5hLGjfiiRUWgzoFqkXjHAG4f0+fwfAE+wp1Ft9OpTze n27Kv50ueWsxqpTwFj6Zq5ha8qlU5ISgcGVGoinSsDJMX8rZHBeZE5h4Ue0sXReb bLO5/6sehzhCtVSXUWQ7b9UvQiQmIGSexErSndoMqTnsVfYznedWctO3zlmPccno nJ15DVvTSFS1pMyfKSwtvDh/KoAUum5qB3V90ZZ5KhMGuA/ra/VLRDG62ydmKDlp ehl6QoLs0CNSgx0hZ7eqvGMHDgjpX4E/9H16xYKO4fr9VSxsJwhZuPFB5hXP87Oj vsk0RXrXZ2B48nTZBWBeMRQkFw7GneU3QIzYcPV5GA6laXcgsPiGIGcd3woW3Bl3 F7W35vtMSSwMuCmHFhvNj0189SxzoO78pOZrH0eCH42sc7hDRV6OCCsI6DBS0h4m jqDRtAnS955Qf8NzIxW3O2+1ffZeFWM9Efm06OiQn0fjWLXLsdiDyOz/9r8fpjJY TqsLoaKlXBVOkjFZY/QPFSHdc3eMpdFEpEi0GTBnSDATGNKoXetDezbby1K5TPEq fL5zZA1YrSZDAMvcl37hfvrPEq7HbnzoThGqk0mi9cqrC5pL5d4yp6844M0MtkoZ bfRQRhC/hEpI9/lg+WrUVD5j7ep5o+sp5HQtIp/0x8ZXD56XVDj6CmqHHe6xhe0j -----END RSA PRIVATE KEY----
生产解密的私钥:
[root@centos7.6 certs]# openssl rsa -in magedu.key -out magedu.org.key #生成解密的私钥 Enter pass phrase for magedu.key: #输入加密口令解密 writing RSA key [root@centos7.6 certs]# ll-rw------- 1 root root 1330 Mar 7 14:11 magedu.crt -rw------- 1 root root 1766 Mar 7 14:09 magedu.key -rw-r--r-- 1 root root 1675 Mar 7 14:12 magedu.org.key #标准无加密私钥 [root@centos7.6 certs]# cat magedu.org.key -----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEA1E2airk0eCIxFhR9LrQQIutgLDk7qSUY+ilbCBzPMdkXO9P5 rqFCq84cRwxS+Mj2Q5BPGDc/piMMfe6CiRP5ihLOld73zV8NQcIa62LQzu72Klkm EwUPBV2cq28Q2JwvAzUD74cz2xGvR3PXB48Vw3HmlIgGyOR/1O8eCt4ZZ+s4mo2v gg6JnpAvUukfv4da1maw63xe1E2VAIW9opq8R1k/zUVHR70Xo3L3QwEAZyH9sUTF KTeFqhLKa3r6qZbZTfmfd8OkVpCVym+xkDTfPwg+3DhrZAuEiJ8DsO7aXPd41BsL v1U6jefrEb5nvDXEBzyte8Bbkr0BKZxL321RBQIDAQABAoIBAFiSn90sc5WDPlNl 7OwlN246IP+SSS/CSG9l/ZKe4lp7pdPSFiMjKDuhW+7QV3Vv8j4x4K3LrwRTLw0D CvbBnKRcQFAKm/vUoiVDJBP8P/11eMImO1pIDAJDEe/8AF0+m+aMob22/I1zDVuU GqwOqBfIV1i0f5AktKhTsob6LkNJ/lfM/8e4ZSfMLevTUc30bFZR32A7pgmg4vsW SRaNtDvQa4PA6hsxqlUl5PyW8ur3pk6YY6M6XidV+8dmWJJRnRsIGD3SqONwKpKe Zj/kc9xZrpxOKc6aNDvOVofJ5/603JmpggbgN8ANcZAImr9nA2Mi7RG/s6oWAPyJ qk+lCSkCgYEA+3qeyLW19yBalbsD/gkn2laCvEMpgATzkwM7H4x/HCz2CBGN/C+v HPnq24+g/0R+Zq8HuSXxTOxLDHQIm5dIzgS7PSDInDIAb4Q3GwO9C3NkFcUc8E0s xBQzKRIK7kT5qJa/vqbGaJHbr3r2BEAvbswC8lDHGYuFYn0glAGh1c8CgYEA2B6v S0YjAiJdnpye/QkQXTaYh/jfVG7sh/3EOJW3dDIWmR/WsqCy3S4lPCESOOH5P5Np r93qlWFnnLvvYoeQW4BS27PG7hgoILSU5eMWP+kZ5i7misFxbEN8SsSjK6l2xQlp DH0Jv8MJDZDh8SUVTmBWSTcZykKZi6l7JgSQNOsCgYBsMpzAlFXfJr9yro0QLpZD /XawU2E2oGq/9OLqNwO1dq7AV/Uz7Lw2Bl0C7HADhE+yFFqJUYbZZsz/ZakScGu1 oBmDOmi1s1m2oTcoW1pp49LK/wztYvcAwgQlBotHasvTulBzUcQJ17+iZ5AT0h3W WNZntVOEbSANePKcW3tqxwKBgCzEFl1KNuAvTCMZoBkbsocMUwX/OAteOqJknyt1 X52y7lljbe5sOQB1mYLd+s9Lh3xyxXaHShsNJRAjIY/QMsexSfh2QaN5333+ycTg h/BPEW1Lk7d0IFFjnTBDkOTvYkmoDFlo4QcWmB52P0ba/pHQhK7/udjaeMGkJn0W fuRnAoGAAyhxkjWXWa7L77xyCiWc8vwTLrOst5EFaVM9ADtCPMu4I9J5eS9KuTNX aYVTBIaKY/KCL4XLwAxaHx7ZNZBd8V6m92S7o8nilyl/4HrkW51X5VXQO6JTC72p mOzHyM+iB77NYlKF/TCQ7L0P1IaTRk6BCd01H/rP8s2gIkfaosE= -----END RSA PRIVATE KEY----- [root@centos7.6 certs]# mv magedu.crt magedu.org.crt #重名命证书 [root@centos7.6 certs]# ll-rw------- 1 root root 1766 Mar 7 14:09 magedu.key -rw------- 1 root root 1330 Mar 7 14:11 magedu.org.crt -rw-r--r-- 1 root root 1675 Mar 7 14:12 magedu.org.key
2、创建证书和私钥存放目录
[root@centos7.6 certs]# mkdir /apps/nginx4/ssl #创建证书和私钥存放目录 [root@centos7.6 certs]# mv magedu.org.* /apps/nginx4/ssl/ [root@centos7.6 certs]# ll /apps/nginx4/ssl/ -rw------- 1 root root 1330 Mar 7 14:11 magedu.org.crt -rw-r--r-- 1 root root 1675 Mar 7 14:12 magedu.org.key [root@centos7.6 certs]# chmod 600 /apps/nginx4/ssl/* [root@centos7.6 certs]# ll /apps/nginx4/ssl/-rw------- 1 root root 1330 Mar 7 14:11 magedu.org.crt -rw------- 1 root root 1675 Mar 7 14:12 magedu.org.key
3、创建https访问的roo目录:
[root@centos7.6 certs]# mkdir /data/ssl/
[root@centos7.6 certs]# echo /data/ssl/index.html >/data/ssl/index.html
4、配置https:http和https两个虚拟主机
此示例中,http和https访问方式是建立2个虚拟主机,它们的根目录不同
[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf server { #单独的https虚拟主机 listen 443 ssl;server_name www.magedu.org;root /data/ssl/;#ssl on; #1.15版本淘汰,改用在listen 设置ssl ssl_certificate /apps/nginx4/ssl/magedu.org.crt; #指定证书ssl_certificate_key /apps/nginx4/ssl/magedu.org.key; #指定私钥ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log access_json ; #专有日志 } server { #http虚拟主机,默认listen 80server_name www.magedu.org;root /data/site14/;access_log /apps/nginx4/logs/magedu.org.access.log access_json ;default_type text/html ; gzip on;gzip_comp_level 6;gzip_min_length 64;gzip_vary on;gzip_types text/xml text/css application/javascript; }
查看端口:
[root@centos7.6 certs]# ss -lnt State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:443 *:*
验证:https访问:
到此,http,https是分开的连个虚拟主机,而且根目录不一样,显然不合理,实现http和https访问相同的资源
方法一:http和https 2个虚拟主机设置一样的根目录
[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf server {listen 443 ssl;server_name www.magedu.org; root /data/site14/; #ssl on;ssl_certificate /apps/nginx4/ssl/magedu.org.crt;ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log access_json ; } server {server_name www.magedu.org;root /data/site14/;access_log /apps/nginx4/logs/magedu.org.access.log access_json ;default_type text/html ; gzip on;gzip_comp_level 6;gzip_min_length 64;gzip_vary on;gzip_types text/xml text/css application/javascript; }
方法二:一个虚拟主机同时监听80和443端口
[root@centos7.6 certs]# vim /apps/nginx4/conf/conf.d/test.conf server { listen 443 ssl;listen 80;server_name www.magedu.org;root /data/site14/; #ssl on;ssl_certificate /apps/nginx4/ssl/magedu.org.crt;ssl_certificate_key /apps/nginx4/ssl/magedu.org.key;ssl_session_cache shared:sslcache:20m;ssl_session_timeout 10m;access_log /apps/nginx4/logs/magedu.org.ssl.access.log access_json ; } #server {# server_name www.magedu.org; # root /data/site14/; # access_log /apps/nginx4/logs/magedu.org.access.log access_json ; # default_type text/html ; #}
但是上边2种方法,不是标准的http到https的重写,可能输入网址是http而不是https,导致即使有https安全访问方式,也会出现由于客户端没有输入https而是http的访问能够正常访问
http到https重写,请查看rewrite配置