Nginx下配置Https證書詳細過程
1、Http與Https的區別
HTTP:是互聯網上應用最爲普遍的一種網絡協議,是一個客戶端和服務器端請求和應答的標準(TCP),用於從WWW服務器傳輸超文本到本地瀏覽器的傳輸協議,它可使瀏覽器更加高效,使網絡傳輸減小。php
HTTPS:是以安全爲目標的HTTP通道,簡單講是HTTP的安全版,即HTTP下加入SSL層,HTTPS的安全基礎是SSL,所以加密的詳細內容就須要SSL。HTTPS協議的主要做用能夠分爲兩種:一種是創建一個信息安全通道,來保證數據傳輸的安全;另外一種就是確認網站的真實性。html
HTTPS和HTTP的區別主要以下:
一、https協議須要到ca申請證書,通常免費證書較少,於是須要必定費用。
二、http是超文本傳輸協議,信息是明文傳輸,https則是具備安全性的ssl加密傳輸協議。
三、http和https使用的是徹底不一樣的鏈接方式,用的端口也不同,前者是80,後者是443。
四、http的鏈接很簡單,是無狀態的;HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議,比http協議安全。node
2、使用openssl生成證書
openssl是目前最流行的SSL密碼庫工具,其提供了一個通用、健壯、功能完備的工具套件,用以支持SSL/TLS協議的實現。nginx
好比生成到:/usr/local/sslweb
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt 生成過程: # openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /u sr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt Generating a 2048 bit RSA private key ...............................................................................+ ++ ...............+++ writing new private key to '/usr/local/ssl/nginx.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]:xxxx Organizational Unit Name (eg, section) []:xxxx Common Name (eg, your name or your server's hostname) []:xxxx(通常是域名) Email Address []:xxxx@xxxx.com # ll total 8 -rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt -rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key
3、Nginx安裝http_ssl_module模塊
Nginx若是未開啓SSL模塊,配置Https時提示錯誤。瀏覽器
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx
nginx缺乏http_ssl_module模塊,編譯安裝的時候帶上--with-http_ssl_module配置就好了。安全
本場景是服務器已經安裝過nginx,可是未安裝http_ssl_module。服務器
1.進入到源碼包,如:網絡
cd /app/download/nginx-1.16.7
2.configure:session
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
3.make:
make
4.不須要執行make install,不然就覆蓋安裝了。
5.備份原有的nginx,如:
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak
6.而後將剛剛編譯好的nginx覆蓋掉原有的nginx(nginx須要中止)
cp ./objs/nginx /usr/local/nginx/sbin/
7.查看安裝狀況:(注:若不生效,則重裝nginx)
/usr/local/nginx/sbin/nginx -V nginx version: nginx/1.12.2 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
4、nginx配置https
貼部分配置信息:
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 7777; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.html?s=$1 last; break; } root /usr/local/chip/product/crdp_plus; index index.html; } location /portal-ui { root html; index index.html index.htm; try_files $uri $uri/ /monitor-view/index.html; } location /crdp/ { proxy_pass http://127.0.0.1:8888; } location /swagger-ui.html { proxy_pass http://127.0.0.1:8888; } location /swagger-resources { proxy_pass http://127.0.0.1:8888; } location /swagger { proxy_pass http://127.0.0.1:8888; } location /webjars { proxy_pass http://127.0.0.1:8888; } location /v2 { proxy_pass http://127.0.0.1:8888; } location /druid { proxy_pass http://127.0.0.1:8888; } proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header REMOTE-HOST $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 5m; #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # server { listen 8787 ssl; server_name 192.168.13.192; ssl_certificate /usr/local/ssl/nginx.crt; #證書公鑰 ssl_certificate_key /usr/local/ssl/nginx.key; #證書私鑰 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL; ssl_prefer_server_ciphers on; root /usr/local/ui_workspace; index /appBaoJian/index.html; location /appBaoJian { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /appBaoJian/index.html; } location /chhm-service/ { proxy_pass http://192.168.13.77:8380; } } server { listen 8686 ssl; server_name 192.168.13.192; ssl_certificate /usr/local/ssl/nginx.crt; #證書公鑰 ssl_certificate_key /usr/local/ssl/nginx.key; #證書私鑰 ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL; ssl_prefer_server_ciphers on; root /usr/local/ui_workspace; index /crpge/index.html; location /crpgea { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /crpge/index.html; } location /crpgeb { root /usr/local/ui_workspace; index index.html index.htm; try_files $uri $uri/ /crpge/hospital.html; } location /crpge/v1 { proxy_http_version 1.1; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://127.0.0.1:18888/crpge/v1; } } }
先檢驗配置的對不對:
/usr/local/nginx/sbin/nginx -t nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重啓nginx:
/usr/local/nginx/sbin/./nginx -s reload
相關文章
- 1. Nginx下配置Https證書詳細過程
- 2. nginx 之 https 證書配置
- 3. Nginx配置HTTPS證書
- 4. Nginx 配置https證書
- 5. nginx https證書配置
- 6. 【Nginx】nginx配置openssl 證書,https
- 7. springboot下https證書配置
- 8. nginx配置ssl雙向驗證 nginx https ssl證書配置
- 9. 數字證書?https?超詳細描述https傳輸過程!
- 10. nginx下配置ssl證書,https配置入門
- 更多相關文章...
- • MyBatis配置文件詳解 - MyBatis教程
- • Eclipse Debug 配置 - Eclipse 教程
- • IDEA下SpringBoot工程配置文件沒有提示
- • IntelliJ IDEA 代碼格式化配置和快捷鍵
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
