08 Nginx构建Https加密传输网站 (基于IOS苹果要求)

发表于 | 分类于


HTTPS 基本概述

1
2
1.传输数据被中间⼈盗⽤,信息泄露
2.数据内容劫持,篡改

HTTPS 配置语法

1
2
3
1. 启动
2. 证书签名文件
3. 证书秘钥文件

HTTPS 配置场景

检查当前环境

1
2
3
4
5
6
1. 检查openssl 1.0.2版本 CentOS7 默认达到
[root@proxy conf.d]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

2. nginx必须有ssl模块
[root@proxy conf.d]# nginx -V

内部生成 只能用于测试

1
2
[root@proxy conf.d]# mkdir /etc/nginx/ssl_key -p
[root@proxy conf.d]# cd /etc/nginx/ssl_key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 创建私钥

[root@proxy ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.............................................................+++
.....................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

# 密码123456

[root@proxy ssl_key]# ls -l
-rw-r--r-- 1 root root 1747 Oct 23 09:31 server.key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
# 生成使用签名请求证书和私钥生成自签证书
[root@proxy ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

# 10年
# 加密方式: sha256 rsa:2048
# 输入的内容随意填写

Generating a 2048 bit RSA private key
................+++
...+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Leo
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:SA
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server's hostname) []:SA
Email Address []:SA@qq.com

配置 Nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
[root@proxy conf.d]# vim ssl.conf 

server {
    #listen 80;
    listen 443 ssl;
    server_name 60.205.217.112;
    index index.html index.htm;

    # ssl on;
    # ssl_session_cache share:SSL:10m;
    ssl_session_timeout 10m;
    ssl_certificate ssl_key/server.crt;
    ssl_certificate_key ssl_key/server.key;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    location / {
        root /soft/code;
        access_log /var/log/nginx/ssl.log main;
    }

}

[root@proxy conf.d]# cat /soft/code/index.html
<h1>https index hello</h1>

[root@proxy conf.d]# ls -l /etc/nginx/ssl_key/
-rw-r--r-- 1 root root 1326 Oct 23 09:35 server.crt
-rw-r--r-- 1 root root 1704 Oct 23 09:35 server.key
1
# 测试访问 需要 加上https

公有云配置苹果要求 Https加密证书

1
2
3
4
5
6
# 免费证书 有几个二级域名 就要申请几个证书
nginx.bjstack.com  https
www.bjstack.com    https

# 泛域名 通用型 绑定几个二级域名都行
*.bjstack.com    https