NginxHttps

  1. HTTPS基本概述
  2. HTTPS配置语法
  3. HTTPS配置场景
  4. Https公有云实践

HTTPS配置语法

开启ssl需要输入ssl_certificatessl_certificate_key

1
2
3
4
5
6
7
8
9
10
11
Syntax: ssl on | off;
Default: ssl off;
Context: http, server

Syntax: ssl_certificate file;
Default: —
Context: http, server

Syntax: ssl_certificate_key file;
Default: —
Context: http, server

秘钥⽣成操作步骤

  1. ⽣成key密钥
  2. ⽣成证书签名请求⽂件(csr⽂件)
  3. ⽣成证书签名⽂件(CA⽂件)
  1. 检查当前环境
1
2
3
4
5
6
7
8
# openssl必须是1.0.2
openssl	version

# nginx必须有ssl模块
nginx -V

mkdir /etc/nginx/ssl_key -p
cd /etc/nginx/ssl_key
  1. 创建私钥
1
2
openssl genrsa -idea -out server.key 2048
# 输入账号密码
  1. ⽣成使⽤签名请求证书和私钥⽣成⾃签证书
1
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
  1. 配置 Nginx
1
cat /etc/nginx/conf.d/ssl.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
server {
	listen 443;
	server_name localhost;
	ssl on;
	index index.html index.htm;
	#ssl_session_cache share:SSL:10m;
	# 保持10min的长连接
	ssl_session_timeout 10m;
	# crt文件
	ssl_certificate ssl_key/server.crt;
	# key文件
	ssl_certificate_key ssl_key/server.key;
	ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!
ADH:!RC4;
	# 支持的ssl协议版本
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	location / {
		root /soft/code;
		access_log /logs/ssl.log main;
	}
}

  1. 测试访问,

    由于该证书⾮第三⽅权威机构颁发,⽽是我们⾃⼰签发的,所以浏览器会警告

  1. 强制http跳转到https

    1
    2
    3
    4
    5
    server {
    	listen 80;
    	server_name localhost;
    	rewrite ^(.*) https://$server_name$1 redirect;
    }