Nginx实现网站https
LiuSw Lv6
 2023-07-24 13:45:28      1.2k 字  6 分钟  

一.生成秘钥

如果提供了则不需要生成

使用centos系统生成秘钥

1. 使用openssl生成密钥privkey.pem:

1
openssl genrsa -out privkey.pem 1024/2038

2. 使用密钥生成证书server.pem:

1
openssl req -new -x509 -key privkey.pem -out server.pem -days 3650

个人网站为例
Common Name (e.g. server FQDN or YOUR name) []: ceshi-test.com
也可以通过*.yourdomain.com来匹配你的二级域名

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN                         	              #国家名称
State or Province Name (full name) []:ShangHai           	 	      #省
Locality Name (eg, city) [Default City]:ShangHai         		      #市
Organization Name (eg, company) [Default Company Ltd]:ACBC                    #公司
Organizational Unit Name (eg, section) []:Tech                                #部门
Common Name (eg, your name or your server's hostname) []:*.mydomain.com       #注意,此处应当填写你要部署的域名,如果是单个则直接添加即可,如果不确定,使用*,表示可以对所有mydomain.com的子域名做认证
Email Address []:admin@mydomain.com                                           #以域名结尾即可

Please enter the following 'extra' attributes
to be sent with your certificate request 
A challenge password []:        											   #是否设置密码,可以不写直接回车  
An optional company name []:                                                   #其他公司名称 可不写

二.安装nginx

1.windows版直接下载绿色版

1
https://nginx.org/en/download.html

2.centos版安装

(1)在线安装

1
yum install -y nginx

(2)离线下载

1
https://nginx.org/en/download.html

三.配置nginx

1
vi /etc/nginx/nginx.conf
编辑server下内容 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

#user nginx;
#worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;
    server {
        listen       443;
        server_name  cesshi-test.com;
        ssl_certificate /data/nginx/pki/server.pem;
        ssl_certificate_key  /data/nginx/pki/privkey.pem;
        ssl_session_timeout     5m; #会话超时时间
        ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; #SSL协议
        #root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

       location / {
            proxy_pass  http://192.168.11:8080;       
            proxy_redirect     off;      
            proxy_set_header   Host             $host;             
            proxy_set_header   X-Real-IP        $remote_addr;             
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;           
            client_max_body_size       100m;            
            index  index.html index.htm;
            add_header X-Content-Type-Options "nosniff" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Frame-Options SAMEORIGIN;
            add_header Strict-Transport-Security "max-age=16070400; includeSubdomains; preload" always;
            add_header Referrer-Policy "strict-origin";
            add_header X-Permitted-Cross-Domain-Policies none;
            add_header X-Download-Options noopen;
            add_header Access-Control-Allow-Origin *;
            add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
            add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
            if ($request_method = 'OPTIONS') {
              return 204;
            }  
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.
    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  ceshi2-test.com;   #与申请时的域名保持一致,否则会报错
        root         /usr/share/nginx/html;

        ssl_certificate  /data/nginx/pki/server.pem;
        ssl_certificate_key  /data/nginx/pki/privkey.pem;
        ssl_session_timeout     5m; #会话超时时间
        ssl_ciphers     ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2; #SSL协议
        #root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

       location / {
            proxy_pass  http://192.168.12:8080;       
            proxy_redirect     off;      
            proxy_set_header   Host             $host;             
            proxy_set_header   X-Real-IP        $remote_addr;             
            proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;           
            client_max_body_size       100m;            
            index  index.html index.htm;
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

}

四.http转发https

1.http转发到https,但是http和https不能用同一个配置

nginx.conf配置

1
2
3
4
5
6
server {
	listen	80;
	listen	www.xxx.com:80; #此处添加你要该链接访问的域名
	server_name  www.xxx.com  alias  xxx.com.alias;
	rewrite ^(.*) https://$server_name$1 permanent;		#此句最关键
}

2.使用同一个端口,http转https

1
2
3
4
5
6
7
8
9
原理:
http和https是tcp的上层协议,当nginx服务器建立tcp连接后,根据收到的第一
份数据来确定客户端是希望建立tls还是http。nginx会判断tcp请求的首写节内容
以进行区分,如果是0x80或者0x16就可能是ssl或者tls,然后尝试https握手。
如果端口开启了https,但请求过来的并不是,会抛出一个http级别的错误,
这个错误的状态码是NGX_HTTP_TO_HTTPS,错误代码497,然后在返回
response中会抛出一个400错误(因为497不是标准状态码,丢给浏览器也没
有用),这时浏览器会显示"400 Bad Request,The plain HTTP request was 
sent to HTTPS port"

nginx.conf配置

1
2
3
4
5
6
7
server {
	listen	80 ssl;
	listen	www.xxx.com:80; 				#此处添加你要该链接访问的域名
	server_name  www.xxx.com  alias  xxx.com.alias;
	error_page 497 https://$host:8080$request_uri;		#此句最关键,重新定义端口
	#error_page 497 https://$http_host$request_uri;		#此句最关键,只是将http改为https,其他不变
}

nginx详细功能详见https://liusw.top/categories/Nginx/

The End

 评论