实现HTTPS访问的方法
要有证书信息
向证书颁发机构申请
生成一个假的证书
1.生成一个私钥信息(openssh openssl)
使用openssl生成私钥信息
检查软件是否安装
[root@moban ~]# rpm -qa openssl openssl-1.0.1e-57.el6.x86_64
安装或升级
yum install -y openssl
生成一个私钥信息
mkdir -p /server/key
#方法一
openssl genrsa 2048 >/server/key/server.key
#方法二
openssl genrsa -out /server/key/server.key 2048
授权600
chmod 600 /server/key/server.key
一条命令完成创建私钥文件并授权600
(umask=077;openssl genrsa -out /server/key/server.key 2048)
2.生成一个请求证书文件
企业里申请证书方法
openssl req -new -key server.key -out server.csr/pem
自签发证书生成方式
openssl req -new -x509 -key server.key -out server.crt -days 365
openssl req -new -x509 -key /server/key/server.key -out /server/key/server.crt -days 365
[root@moban ~]# openssl req -new -x509 -key /server/key/server.key -out /server/key/server.cr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #属于哪个国家 State or Province Name (full name) []:ShangHai #属于哪个省份 Locality Name (eg, city) [Default City]:ShangHai #属于哪个城市 Organization Name (eg, company) [Default Company Ltd]:cjh #公司名称 Organizational Unit Name (eg, section) []:it #组织名称 哪个部门 Common Name (eg, your name or your server's hostname) []:web01 #主机名称 Email Address []:[email protected] #邮箱地址,做好的证书会发送到此邮箱,不能写错
3.将私钥和证书请求文件发送给证书颁发机构(花钱1000+) 免费的 阿里云 腾讯云 买域名
编写nginx配置文件
4.获得到证书之后,编写web服务配置文件,加载私钥和证书信息
创建一个放私钥与证书的目录
mkdir -p /application/nginx/conf/key
将目录与证书放到里面
mv /server/key/* /application/nginx/conf/key/
授权nginx用户
chown -R www.www /application/nginx/conf/key/
修改nginx配置文件添加证书
vim /application/nginx/conf/extra/www.conf
server {
listen 443;
server_name www.abc.com;
#https证书
ssl on;
ssl_certificate /application/nginx/conf/key/server.crt;
ssl_certificate_key /application/nginx/conf/key/server.key;
#访问日志
access_log logs/access_www.log main buffer=32k flush=5s;
location / {
root html/www;
index index.php index.html index.htm;
}
#php解析
location ~ .*\.(php|php5)?$ {
root html/www;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}
#检查nginx
/application/nginx/sbin/nginx -t
#修改了端口信息需要重启nginx 不能平滑重启nginx,平滑重启对应修改了端口的配置无法生效
/application/nginx/sbin/nginx -s stop
/application/nginx/sbin/nginx
#检查nginx端口信息是否对应有443端口
netstat -lnp|grep nginx
[root@moban shell001]# netstat -lnp|grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2265/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2265/nginx
5.测试访问
浏览器访问发现无法正常访问,因为https默认端口信息是443端口,而浏览器默认访问端口是443
正确的访问方法:https://域名
https://www.abc.com
访问结果
利用地址重写功能 使不用在输入域名时加上https就可以自动跳转https进行访问
利用跳转进行配置
配置nginx
cat /application/nginx/conf/extra/www.conf
server {
listen 80;
server_name www.abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443;
server_name www.abc.com;
#https证书
ssl on;
ssl_certificate /application/nginx/conf/key/server.crt;
ssl_certificate_key /application/nginx/conf/key/server.key;
#访问日志
access_log logs/access_www.log main buffer=32k flush=5s;
location / {
root html/www;
index index.php index.html index.htm;
}
#php解析
location ~ .*\.(php|php5)?$ {
root html/www;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
}
#检查配置
/application/nginx/sbin/nginx -t
#重启nginx
/application/nginx/sbin/nginx -s stop
/application/nginx/sbin/nginx
#检查nginx端口信息
netstat -lnp|grep nginx
[root@moban shell001]# netstat -lnp|grep nginx tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2537/nginx tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2537/nginx
访问测试
访问结果:自动跳转至https
