21、Nginx 实战:Nginx常用HTTPS配置
#1.新建证书存放目录
[root@mjndev conf.d]# mkdir /etc/ssl/private/dm -p
#2.上传证书
[root@mjndev conf.d]# cd /etc/ssl/private/dm
[root@mjndev dm]# rz
[root@mjndev dm]# ll
total 24
-rw-r--r-- 1 root root 23922 Jul 5 10:09 rbcas.com.cn.zip
二、解压证书
[root@mjndev dm]# unzip rbcas.com.cn.zip
[root@mjndev dm]# ll
total 72
-rw-r--r-- 1 root root 4674 Mar 22 11:25 3972117__rbcas.com.cn_apache.zip
-rw-r--r-- 1 root root 5151 Mar 22 11:25 3972117__rbcas.com.cn_iis.zip
-rw-r--r-- 1 root root 3955 Mar 22 11:25 3972117__rbcas.com.cn_jks.zip
-rw-r--r-- 1 root root 4283 Mar 22 11:25 3972117__rbcas.com.cn_nginx.zip
-rw-r--r-- 1 root root 5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
-rw-r--r-- 1 root root 23922 Jul 5 10:09 rbcas.com.cn.zip
三、Nginx类型证书
1.解压Nginx证书
#1.解压nginx类型证书
[root@mjndev dm]# unzip 3972117__rbcas.com.cn_nginx.zip
Archive: 3972117__rbcas.com.cn_nginx.zip
Aliyun Certificate Download
inflating: 3972117__rbcas.com.cn.pem
inflating: 3972117__rbcas.com.cn.key
#2.查看证书
[root@mjndev dm]# ll
total 72
-rw-r--r-- 1 root root 4283 Mar 22 11:25 3972117__rbcas.com.cn_nginx.zip
-rw-r--r-- 1 root root 1679 Mar 22 11:25 3972117__rbcas.com.cn.key
-rw-r--r-- 1 root root 4103 Mar 22 11:25 3972117__rbcas.com.cn.pem
2.配置Nginx前后端不分离
#1.进入nginx配置目录
[root@mjndev dm]# cd /etc/nginx/conf.d/
#2.编写nginx站点文件
[root@mjndev conf.d]# vim dmtest.rbcas.com.cn.conf
upstream dmtest.rbcas.com.cn {
server localhost:18080;
}
server {
listen 80;
server_name dmtest.rbcas.com.cn;
return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl;
server_name dmtest.rbcas.com.cn;
ssl_certificate /etc/ssl/private/dm/3972117__rbcas.com.cn.pem;
ssl_certificate_key /etc/ssl/private/dm/3972117__rbcas.com.cn.key;
ssl_session_timeout 5m;
ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
access_log /data/logs/dmtest.rbcas.com.cn_access.log;
error_log /data/logs/dmtest.rbcas.com.cn_error.log;
location /api {
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://dmtest.rbcas.com.cn;
}
location / {
root /data/webproject/dm/dist;
}
location /dm {
alias /data/webproject/dm/dist;
}
}
#3.配置站点日志文件
[root@mjndev conf.d]# mkdir /data/logs -p
#4.检查nginx配置
[root@mjndev conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
#5.重载nginx
[root@mjndev conf.d]# nginx -s reload
四、Tomcat类型证书
1.解压Tomcat证书
#1.解压tomcat类型证书
[root@mjndev ~]# cd /etc/ssl/private/dm
[root@mjndev dm]# unzip 3972117__rbcas.com.cn_tomcat.zip
#2.看证书
[root@mjndev dm]# ll
total 80
-rw-r--r-- 1 root root 4834 Mar 22 11:25 3972117__rbcas.com.cn.pfx
-rw-r--r-- 1 root root 5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
-rw-r--r-- 1 root root 8 Mar 22 11:25 pfx-password.txt
2.转化pfx证书
#1.生成证书crt和key
[root@mjndev dm]# openssl pkcs12 -in 3972117__rbcas.com.cn.pfx -clcerts -nokeys -out dmtest.rbcas.com.cn.crt
Enter Import Password: ****** #pfx-password.txt的密码
MAC verified OK
[root@mjndev dm]# openssl pkcs12 -in 3972117__rbcas.com.cn.pfx -nocerts -nodes -out dmtest.rbcas.com.cn.rsa
Enter Import Password: ****** #pfx-password.txt的密码
MAC verified OK
#2.查看所在目录以生成证书
[root@mjndev dm]# ll
total 80
-rw-r--r-- 1 root root 4834 Mar 22 11:25 3972117__rbcas.com.cn.pfx
-rw-r--r-- 1 root root 5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
-rw-r--r-- 1 root root 2744 Jul 5 19:16 dmtest.rbcas.com.cn.crt
-rw-r--r-- 1 root root 1850 Jul 5 19:17 dmtest.rbcas.com.cn.rsa
-rw-r--r-- 1 root root 8 Mar 22 11:25 pfx-password.txt
-rw-r--r-- 1 root root 23922 Jul 5 10:09 rbcas.com.cn.zip
#3.验证证书准确性
[root@mjndev dm]# openssl s_server -www -accept 443 -cert ./dmtest.rbcas.com.cn.crt -key ./dmtest.rbcas.com.cn.rsa
3.配置Nginx
[root@mjndev dm]# vim /etc/nginx/conf.d/dmtest.rbcas.com.cn.conf
upstream dmtest.rbcas.com.cn {
server localhost:18080;
}
server {
listen 80;
server_name dmtest.rbcas.com.cn;
return 301 https://$http_host$request_uri;
}
server {
listen 443 ssl;
server_name dmtest.rbcas.com.cn;
ssl_certificate /etc/ssl/private/dm/dmtest.rbcas.com.cn.crt;
ssl_certificate_key /etc/ssl/private/dm/dmtest.rbcas.com.cn.rsa;
ssl_session_timeout 5m;
ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
access_log /data/logs/dmtest.rbcas.com.cn_access.log;
error_log /data/logs/dmtest.rbcas.com.cn_error.log;
location /api {
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_redirect off;
proxy_pass http://dmtest.rbcas.com.cn;
}
location / {
root /data/webproject/dm/dist;
}
location /dm {
alias /data/webproject/dm/dist;
}
}
#3.配置站点日志文件
[root@mjndev dm]# mkdir /data/logs -p
#4.检查nginx配置
[root@mjndev dm]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
#5.重载nginx
[root@mjndev dm]# nginx -s reload
五、访问测试
打开浏览器,输入配置nginx时的域名自动跳转到HTTPS,查看证书是否过期即可。