SSL:
安全套接字层,由Netscape公司于1994年创建,它旨在通过Web创建安全的Internet通信。
它是一种标准协议,用于加密浏览器和服务器之间的通信。它允许通过Internet安全轻松地传输账号密码、银行卡、手机号等私密信息。
SSL常见应用:
https:启用ssl加密的安全HTTP传输协议 443
ipsec vpn
PKI:公钥基础设施,主要功能是绑定证书持有者的身份和相关的密钥对(通过为公钥及相关的用户身份信息签发数字证书),
为用户提供方便的证书申请、证书作废、证书获取、证书状态查询的途径,
并利用数字证书及相关的各种服务(证书发布,黑名单发布,时间戳服务等),
实现通信中各实体的身份认证、完整性、抗抵赖性和保密性.
标准:x.509
CA:证书颁发机构
RA:证书注册机构
证书的内容:
申请者的公钥
申请者的身份标识
证书有效期
颁发者的标识
颁发者的签名
HTTPS证书的选择
DV型 域名型,不显示企业名
OV型 企业型,显示企业名
EV型 企业增强型,防止代申请
HTTPS证书购买选择
单域名:仅能绑定一个域名
多域名:能绑定五个域名
通配符域名:不限个数
HTTPS注意事项
https仅支持二级域名
https不支持续费,证书到期重新申请替换
https显示绿色,说明整个网站都是https的
https显示黄色,网站代码中包含https不安全链接
https显示红色,证书不认或过期
企业内部实现https案例:
生成key密钥
生成证书签名请求文件(csr文件)
生成证书签名文件(ca文件)
1.查看是否安装openssl和版本
rpm -q openssl
yum -y install openssl
openssl version
查看nginx是否安装ssl模块
nginx -V 显示结果包含: --with-http_ssl_module
创建ssl密钥目录,并进入目录
mkdir -p /etc/nginx/ssl_key
cd /etc/nginx/ssl_key
2.本机当CA:证书颁发机构,创建私钥
openssl genrsa -idea -out server.key 2048
3.生成证书,去掉私钥的密码
openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
4.配置https网站
vim /etc/nginx/conf.d/https.conf
添加:
server {
listen 443 ssl;
server_name https.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /httpsweb;
index index.html;
}
}
保存退出
mkdir /httpsweb
echo "<h1>https.benet.com</h1>" > /httpsweb/index.html
systemctl restart nginx
5.客户机修改hosts文件,使用https://https.benet.com访问测试。
6.rewrite地址重写(http重定向到https)
vim /etc/nginx/conf.d/https.conf
server {
listen 443 ssl;
server_name https.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
root /httpsweb;
index index.html;
}
}
server {
listen 80;
server_name https.benet.com;
# rewrite .* https://https.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
保存退出
7.配置负载均衡https
vim /etc/nginx/conf.d/lb_https.conf
添加:
upstream webhttps {
server 192.168.1.109:443;
server 192.168.1.111:443;
}
server {
listen 443 ssl;
server_name https.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://webhttps;
}
}
server {
listen 80;
server_name https.benet.com;
return 302 https://$server_name$1;
}
保存退出
8.模拟案例:配置https的blog、zh(web2和web1配置相同)选做
(1)配置web1的blog
vim /etc/nginx/conf.d/blog.conf
添加:
server {
listen 443 ssl;
server_name blog.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /wordpress;
index index.php index.html;
location ~ \.php$ {
root /wordpress;
fastcgi_pass 192.168.1.110:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name blog.benet.com;
# rewrite .* https://blog.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
保存退出
(2)配置web1的zh
vim /etc/nginx/conf.d/zh.conf
添加:
server {
listen 443 ssl;
server_name zh.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /zh;
index index.php index.html;
location ~ \.php$ {
root /zh;
fastcgi_pass 192.168.1.110:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
server {
listen 80;
server_name zh.benet.com;
# rewrite .* https://zh.benet.com;
# rewrite .* https://$host$request_uri redirect;
# rewrite .* https://$server_name$request_uri redirect;
rewrite .* https://$server_name$1 redirect;
}
保存退出
nginx -t
systemctl restart nginx
(3)配置负载均衡lb1
vim /etc/nginx/conf.d/lb1.conf
添加:
upstream web_cluster {
server 192.168.1.109:443;
server 192.168.1.111:443;
}
server {
listen 443 ssl;
server_name blog.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_cluster;
include nginx_params;
}
}
server {
listen 443 ssl;
server_name zh.benet.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass https://web_cluster;
include nginx_params;
}
}
server {
listen 80;
server_name blog.benet.com;
return 302 https://$server_name$1;
}
server {
listen 80;
server_name zh.benet.com;
return 302 https://$server_name$1;
}
保存退出
nginx -t
systemctl restart nginx
==============================
www.baidu.com. #FQDN 完整合格域名
. 根服务器,世界共13台(美8 欧4 日1)
com 顶级或一级服务器(com 商业; gov 政府;edu 教育;mil 军事;org 自由论坛;net 网络组织;cn 中国;us 美国)
baidu 二级域名
www 主机头