SSL:安全套接字层,由Netscape公司于1994年创建,它旨在通过Web创建安全的Internet通信。
它是一种标准协议,用于加密浏览器和服务器之间的通信。它允许通过Internet安全轻松地传输账号密码、银行卡、手机号等私密信息。.
SSL常见应用:
https:启用ssl加密的安全HTTP传输协议 ipsec vpn
公钥基础设施,主要功能是绑定证书持有者的身份和相关的密钥对(通过为公钥及相关的用户身份信息签发数字证书),为用户提供方便的证书申请、证书作废、证书获取、证书状态查询的途径,并利用数字证书及相关的各种服务(证书发布,黑名单发布,时间戳服务等),实现通信中各实体的身份认证、完整性、抗抵赖性和保密性.标准:x.509
CA:证书颁发机构 RA:证书注册机构
证书的内容
申请者的公钥申请者的身份标识证书有效期颁发者的标识颁发者的签名HTTPS证书的选择
专业版OV型 不显示企业名高级版EV型 显示企业名HTTPS证书购买选择
单域名:仅能绑定一个域名多域名:能绑定五个域名通配符域名:不限个数HTTPS注意事项
https仅支持二级域名https不支持续费,证书到期重新申请替换https显示绿色,说明整个网站都是https的https显示黄色,网站代码中包含https不安全链接https显示红色,证书不认或过期1.查看是否安装openssl和版本
[root@LNMP-1 ~]# rpm -q openssl openssl-1.0.2k-16.el7.x86_64 [root@LNMP-1 ~]# yum -y install openssl [root@LNMP-1 ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017查看nginx是否安装ssl模块
[root@LNMP-1 ~]# nginx -V 显示结果包含: --with-http_ssl_module2.创建ssl密钥目录
[root@LNMP-1 ~]# mkdir -p /etc/nginx/ssl_key [root@LNMP-1 ~]# cd /etc/nginx/ssl_key/3.证书颁发机构,创建私钥
本机当CA
[root@LNMP-1 ssl_key]# openssl genrsa -idea -out server.key 2048 Generating RSA private key, 2048 bit long modulus ..............................+++ ............+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:4.生成证书,去掉私钥的密码
[root@LNMP-1 ssl_key]# openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt Generating a 2048 bit RSA private key ...+++ ....................................................................+++ writing new private key to 'server.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]: State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: [root@LNMP-1 ssl_key]#5.配置https网站
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/https.conf server { listen 443 ssl; server_name https.benet.com; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; location / { root /httpsweb; index index.html; } } [root@LNMP-1 ~]# mkdir /httpsweb [root@LNMP-1 ~]# echo "<h1>https.benet.com</h1>" > /httpsweb/index.html [root@LNMP-1 ~]# systemctl restart nginx6.客户机修改hosts文件,使用https://https.benet.com访问测试。
[root@localhost ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.1.11 https.benet.com7.rewrite地址重写(https重定向到http)
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/https.conf ...... server { listen 80; server_name https.benet.com; // 以下选一种即可 # rewrite .* https://https.benet.com; # rewrite .* https://$host$request_uri redirect; # rewrite .* https://$server_name$request_uri redirect; rewrite .* https://$server_name$1 redirect; }使知乎使用https://zh.benet.com访问
(1)配置LNMP-1的zh(LNMP-2一样)
[root@LNMP-1 ~]# vim /etc/nginx/conf.d/zh.conf server { listen 443 ssl; server_name zh.benet.com; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; root /zh; index index.php index.html; location ~ \.php$ { root /zh; fastcgi_pass 192.168.1.110:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } } server { listen 80; server_name zh.benet.com; rewrite .* https://$server_name$1 redirect; } [root@LNMP-1 ~]# nginx -t [root@LNMP-1 ~]# systemctl restart nginx(2)配置负载均衡lb1(lb2一样)
[root@lb1 ~]# vim /etc/nginx/conf.d/lb1.conf upstream web_cluster { server 192.168.1.109:443; server 192.168.1.111:443; } server { listen 443 ssl; server_name zh.benet.com; ssl_certificate ssl_key/server.crt; ssl_certificate_key ssl_key/server.key; location / { proxy_pass https://web_cluster; include nginx_params; } } server { listen 80; server_name zh.benet.com; return 302 https://$server_name$1; } [root@lb1 ~]# nginx -t [root@lb1 ~]# systemctl restart nginx(3)使用https://zh.benet.com访问知乎网页
