一、https協議須要到ca申請證書,通常免費證書不多,須要交費。html
二、http是超文本傳輸協議,信息是明文傳輸,https 則是具備安全性的ssl加密傳輸協議。java
三、http和https使用的是徹底不一樣的鏈接方式,用的端口也不同,前者是80,後者是443。nginx
四、http的鏈接很簡單,是無狀態的;HTTPS協議是由SSL+HTTP協議構建的可進行加密傳輸、身份認證的網絡協議,比http協議安全。web
目前大部分網站都在往https上轉,Chrome也將https做爲瀏覽器的默認鏈接,若是網站沒采用https的話,就會出現!的標識。瀏覽器
目前主流的SSL證書主要分爲DV SSL 、 OV SSL 、EV SSL。安全
一、DV SSL:網絡
DV SSL證書是隻驗證網站域名全部權的簡易型(Class 1級)SSL證書,可10分鐘快速頒發,能起到加密傳輸的做用,但沒法向用戶證實網站的真實身份。session
目前市面上的免費證書都是這個類型的,只是提供了對數據的加密,可是對提供證書的我的和機構的身份不作驗證。app
二、OV SSL:負載均衡
OV SSL,提供加密功能,對申請者作嚴格的身份審覈驗證,提供可信身份證實。和DV SSL的區別在於,OV SSL 提供了對我的或者機構的審覈,能確認對方的身份,安全性更高。
因此這部分的證書申請是收費的~
三、EV SSL:
超安=EV=最安全、最嚴格 超安EV SSL證書遵循全球統一的嚴格身份驗證標準,是目前業界安全級別最高的頂級 (Class 4級)SSL證書。
金融證券、銀行、第三方支付、網上商城等,重點強調網站安全、企業可信形象的網站,涉及交易支付、客戶隱私信息和帳號密碼的傳輸。
這部分的驗證要求最高,申請費用也是最貴的。
DV和OV證書最大的差異是:
1)、DV型證書不包含企業名稱信息;而OV型證書包含企業名稱信息。
2)、OV型證書會在證書的Subject中顯示域名+單位名稱等信息;DV型證書只會在證書的Subject中顯示域名。
OV型和EV型證書的區別是:
都包含了企業名稱等信息,但EV證書由於其採用了更加嚴格的認證標準,瀏覽器對EV證書更加「信任」,當瀏覽器訪問到EV證書時,能夠在地址欄顯示出公司名稱,並將地址欄變成綠色。
1)、登陸阿里雲官網,進入控制檯,安全(雲盾)欄目下打開證書服務,而後點擊購買證書,此處我選擇「免費型DV SSL」購買。
2)、成功後再證書服務首頁補全當前證書信息便可
3)、在證書審覈經過後,點擊「下載」,在此頁面阿里雲有詳細的FAQ配置說明,照此步驟操做便可
成功以後,阿里雲域名解析處添加了一條TXT類型
1)、首先確保機器上安裝了openssl和openssl-devel
yum install openssl
yum install openssl-devel
2)、./configure --prefix=/dyyl/java/nginx --with-http_ssl_module
注意必定要確認nginx已經加載了OpenSSL模塊再make,若出現「OpenSSL library is not used」請添加http_ssl_module路徑
3)、配置強制使用https請求:
到此,在瀏覽器上手動輸入https://XXX已經能夠正常訪問
可是若是不顯示指定https訪問,仍是會默認走80端口,咱們須要將nginx的80端口重定向到443
server { listen 80; server_name localhost; if ($scheme = http ) { return 301 https://$host$request_uri; } location / { root html/finance-web; index index.html index.htm; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
瀏覽器默認是不容許在 https 裏面引用 http 資源的,會報出mixed content錯誤,有一種解決方案是將html頁面加上
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
意思是將該頁面的http請求強制更改成https
最後貼一下個人nginx.conf配置:
http { include mime.types; default_type application/octet-stream; #文件上傳大小限制,20M client_max_body_size 20m; #access_log logs/access.log main; sendfile on; keepalive_timeout 65; # 80 端口,將全部請求轉發至ssl server { listen 80; server_name localhost; rewrite ^(.*)$ https://$host$1 permanent; error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } # 主站負載均衡,如需橫向擴展,添加一個server便可 upstream myServer { ip_hash; server 101.201.101.224:8080; } # HTTPS server start # 金融前臺請求轉發 server { listen 443; server_name jr.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/jr/214202510950206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/jr/214202510950206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root html/finance-web; index index.html index.htm; } } # 商城前臺請求轉發 server { listen 443; server_name shop.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/shop/214202510940206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/shop/214202510940206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root html/client-shop; index index.html index.htm; } } # 主站請求轉發 server { listen 443; server_name www.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/www/214202510960206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/www/214202510960206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header Host www.jucaibuy.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://myServer; } } # 用戶系統請求轉發 server { listen 443; server_name passport.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/passport/214202510930206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/passport/214202510930206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header Host passport.jucaibuy.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://101.201.101.224:8100/; } } # 商城後臺項目請求轉發 server { listen 443; server_name shopservice.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/shopservice/214202510890206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/shopservice/214202510890206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header Host shopservice.jucaibuy.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://101.201.101.224:8110/; } } # 金融後臺項目請求轉發 server { listen 443; server_name jrservice.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/jrservice/214202510870206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/jrservice/214202510870206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header Host jrservice.jucaibuy.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://101.201.101.224:8120/; } } # 後臺項目請求轉發 server { listen 443; server_name admin.xxx.com; ssl on; ssl_certificate /dyyl/java/nginx/conf/cert/admin/214202510920206.pem; ssl_certificate_key /dyyl/java/nginx/conf/cert/admin/214202510920206.key; ssl_session_timeout 30m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_set_header Host admin.jucaibuy.com; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://101.201.101.224:8090/; } }