为什么要使用https
- 1、因为http采用的时明文传输,敏感数据(账号、密码、交易信息)不安全。容易遭到篡改
- 2、https采用的是超文本传输协议,数据在传输时会加密,能够避免信息泄露
TLS和SSL是如何将数据加密的(他们运行在应用层和传输层之间)
- 1、提供数据安全(不被泄露)
- 2、提供数据完整性(不被篡改)
- 3、对应用层交给传输层的数据进行加密与解密
https加密模型
- 对称加密(使用相同的密钥对)
- 非对称加密(一对密钥-公钥、私钥)
- CA机构(CA颁发公钥、私钥,由CA验证身份信息)
https类型
- dv:个人使用、免费
- ov:企业使用、中型公司
- ev:增强型证书(政府、银行)
- 单域名型证书:只能保护一个域名
- 多域名型证书:能够保护多个域名
- 通配符型证书:*.test.org
单台实现https配置
申请证书【模拟】
[root@nginx conf.d]# mkdir -p /etc/nginx/ssl_key
[root@nginx conf.d]# cd /etc/nginx/ssl_key/- 使用openssl生成证书:生产中不使用此方法,黑户,不被互联网认可
[root@nginx ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..................................................................+++
....+++
e is 65537 (0x10001)
## 我这里填的密码:1234
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:- 生成自签证书,同时去掉私钥密码
[root@nginx ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
............................................+++
................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:WH
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:edu
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:www.test.org
Email Address []:1@qq.com
[root@nginx ssl_key]# ls
server.crt server.key- 将证书配置到nginx中
[root@nginx conf.d]# vim CA.conf
server {
listen 443 ssl;
server_name www.test.org;
root /code/CA;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
index index.html;
}
}
server {
listen 80;
server_name www.test.org;
return 302 https://$http_host$request_uri;
}
集群配置https
| LB |
192.168.200.120 |
| web-01 |
192.168.200.121 |
| web-02文章来源:https://www.toymoban.com/news/detail-505885.html |
192.168.200.122文章来源地址https://www.toymoban.com/news/detail-505885.html |
先配置后端web-01、web-02
[root@nginx conf.d]# vim CA.conf
server {
listen 80;
server_name www.test.org;
root /code/CA;
location / {
index index.html;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param HTTPS on;
include fastcgi_params;
}
}LB配置https
- 生成证书
mkdir -p /etc/nginx/ssl_key
cd /etc/nginx/ssl_key/
openssl genrsa -idea -out server.key 2048
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt- nginx配置
[root@nginx conf.d]# vim test.conf
upstream ca {
server 192.168.200.121:80;
server 192.168.200.122:80;
}
server {
listen 443 ssl;
server_name www.test.org;
charset utf-8;
default_type text/html;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://ca;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
server {
listen 80;
server_name www.test.org;
return 302 https://$http_host$request_uri;
}
https的使用场景
- 1、网站主页(没有信息传递,可以不使用https)
- 2、登录页面(有信息传递使用https)
servre {
listen 80;
server_name www.test.org;
root /code/test;
location / {
index index.html;
}
location /login {
return 302 https://start.test.org;
}
}server {
listen 443 ssl;
server_name start.test.org;
charset utf-8;
default_type text/html;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
index index.html;
}
}到了这里,关于Nginx【https配置】的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!
