目前公司有2个域名,其中这次涉及到3个子域名需要更改为HTTPS传输,分别为:
passport.abc.com
www.test.com
admin.test.com
那么就涉及到购买ssl证书的问题,由于价格问题使用3个不同的证书(每个域名一个)。
由于实验环境,我们就手动生成3个ssl证书
建立目录,及进入目录
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
[root@gz122haproxy95 ~]
# mkdir ~/keys
[root@gz122haproxy95 keys]
# cd ~/keys
[root@gz122haproxy95 keys]
# openssl genrsa -out passport.abc.com.key 2048
[root@gz122haproxy95 keys]
# openssl req -new -key passport.abc.com.key -out passport.abc.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter
'.'
, the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN
#国家
State or Province Name (full name) [Berkshire]:GuangDong
#省份
Locality Name (eg, city) [Newbury]:ShenZhen
#城市
Organization Name (eg, company) [My Company Ltd]:Test.Inc
#公司名称
Organizational Unit Name (eg, section) []:passport.abc.com
#组织名称
Common Name (eg, your name or your server's
hostname
) []:passport.abc.com
#域名
Email Address []:passport@abc.com
Please enter the following
'extra'
attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@gz122haproxy95 keys]
# openssl x509 -req -days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt
|
按照以上方法,把名称替换掉再制作2份,最后的结果就是
|
1
2
3
4
5
6
7
8
9
10
11
|
[root@gz122haproxy95 keys]
# ls -l
total 36
-rw-r--r-- 1 root root 1354 Dec 4 16:54 admin.
test
.com.crt
-rw-r--r-- 1 root root 1050 Dec 4 16:54 admin.
test
.com.csr
-rw-r--r-- 1 root root 1675 Dec 4 16:52 admin.
test
.com.key
-rw-r--r-- 1 root root 1354 Dec 4 16:48 passport.abc.com.crt
-rw-r--r-- 1 root root 1078 Dec 4 16:44 passport.abc.com.csr
-rw-r--r-- 1 root root 1675 Dec 4 16:41 passport.abc.com.key
-rw-r--r-- 1 root root 1354 Dec 4 16:52 www.
test
.com.crt
-rw-r--r-- 1 root root 1062 Dec 4 16:52 www.
test
.com.csr
-rw-r--r-- 1 root root 1679 Dec 4 16:51 www.
test
.com.key
|
现在就是Nginx和OpenSSL的安装与配置(这里注意,一般情况下一个IP只支持一个SSL证书,那么我们现在要在一个IP上实现多个SSL证书,就必须让Nginx支持TLS SNI,由于默认的OpenSSL是没有打开TLS SNI的)
|
1
2
3
4
5
6
7
8
|
[root@gz122haproxy95 ~]
# wget
[root@gz122haproxy95 ~]
# tar zxf openssl-0.9.8zh.tar.gz
[root@gz122haproxy95 ~]
# wget http://nginx.org/download/nginx-1.8.0.tar.gz
[root@gz122haproxy95 ~]
# tar zxf nginx-1.8.0.tar.gz
[root@gz122haproxy95 ~]
# cd nginx-1.8.0
[root@gz122haproxy95 nginx-1.8.0]
# ./configure --prefix=/usr/local/nginx1.8.0 --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=../openssl-0.9.8zh
[root@gz122haproxy95 nginx-1.8.0]
# make && make install
#上面只需要解压openssl即可,然后在nginx的配置参数中添加--with-openssl=DIR指定路径即可,另外由于openssl需要编译,所以时间会较长。
|
在编译安装nginx的时候可能会出现pcre库没找到或zlib没找到,在CentOS下可以使用
|
1
|
yum -y
install
pcre-devel zlib-devel
|
在安装编译好Nginx后,执行
|
1
2
3
4
5
6
|
[root@gz122haproxy95 nginx-1.8.0]
# /usr/local/nginx1.8.0/sbin/nginx -V
nginx version: nginx
/1
.8.0
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)
built with OpenSSL 0.9.8zh 3 Dec 2015
TLS SNI support enabled
#可以看到TLS SNI support打开了
configure arguments: --prefix=
/usr/local/nginx1
.8.0 --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=..
/openssl-0
.9.8zh
|
然后配置nginx
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
upstream passport.abc.com {
server 192.168.20.87:80;
server 192.168.20.88:80;
}
# HTTPS server
#
server {
listen 443 ssl;
server_name passport.abc.com;
ssl_certificate
/root/keys/passport
.abc.com.crt;
ssl_certificate_key
/root/keys/passport
.abc.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http:
//passport
.abc.com;
}
}
upstream www.
test
.com {
server 192.168.20.98:80;
server 192.168.20.99:80;
}
# HTTPS server
#
server {
listen 443 ssl;
server_name www.
test
.com;
ssl_certificate
/root/keys/www
.
test
.com.crt;
ssl_certificate_key
/root/keys/www
.
test
.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http:
//www
.
test
.com;
}
}
|
通过以上即可实现nginx的HTTPS的多域名反向代理
本文转自 rong341233 51CTO博客,原文链接:http://blog.51cto.com/fengwan/1719708
