zoukankan      html  css  js  c++  java

  • nginx -实现同一主机IP地址多个加密主机头

      测试环境下,采用自生成的证书和私钥

    一、生成证书和私钥

      1、进入certs这个目录,在这个目录下使用make 可以直接生成证书

    cd /etc/ssl/certs

      2、修改Makefile文件,去掉里面生成证书自动加密

    vim Makefile

      %.key:
        umask 77 ;
        /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

    修改为:

    %.key:
        umask 77 ; 
        /usr/bin/openssl genrsa  $(KEYLEN) > $@

      3、生成www.test.com 的证书和私钥

    [18:55:06 root@localhost certs]#make test.com.crt
    umask 77 ; 
/usr/bin/openssl genrsa  2048 > test.com.key
Generating RSA private key, 2048 bit long modulus
.............................+++
...........................................................................................................................................................................+++
e is 65537 (0x10001)
umask 77 ; 
/usr/bin/openssl req -utf8 -new -key test.com.key -x509 -days 365 -out test.com.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai                 
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:sh
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your server's hostname) []:www.test.com
Email Address []:

      4、生成www.test.org的证书和私钥文件

    [18:58:06 root@localhost certs]#make test.org.crt
umask 77 ; 
/usr/bin/openssl genrsa  2048 > test.org.key
Generating RSA private key, 2048 bit long modulus
....................................................................+++
...........................+++
e is 65537 (0x10001)
umask 77 ; 
/usr/bin/openssl req -utf8 -new -key test.org.key -x509 -days 365 -out test.org.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:sh
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:www.test.org
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your server's hostname) []:www.test.org  
Email Address []:

    只有标红的地方重要,其他地方可以随便填

      5、在存放nginx配置文件的家目录下,创建用于存放证书和私钥的文件夹

    mkdir /etc/nginx/ssl/

      6、将刚刚生成的私钥文件和证书移动到ssl文件夹下

    mv test.* /etc/nginx/ssl/

      7、将证书文件和私钥的权限设置为600

    chmod 600 /etc/nginx/ssl/*

    二、修改nginx配置文件

      1、创建用于存放主页的文件夹

    mkdir /data/test{com,org} -pv

      2、生成测试页面

    echo /data/testcom/index.html > /data/testcom/index.html
echo /data/testorg/index.html > /data/testorg/index.html

      3、使用虚拟主机,修改虚拟主机配置文件

    vim /etc/nginx/conf.d/test.conf

    (这里的名字叫什么无所谓,后缀是conf就行(没有这个文件就新建))

    server {
        listen 443 ssl;
    listen 80;
    server_name www.test.com;
#指定家目录所在位置
    root /data/testcom/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.com.crt;
    ssl_certificate_key /etc/nginx/ssl/test.com.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.com.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.com/$1 redirect;
      }
}
#另外一个主机
server {
        listen 443 ssl;
    listen 80;
    server_name www.test.org;
#指定家目录所在位置
    root /data/testorg/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.org.crt;
    ssl_certificate_key /etc/nginx/ssl/test.org.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.org.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.org/$1 redirect;
      }
}

      4、检查语法是否有错误

    [19:32:47 root@localhost data]#nginx -t

      5、返回如下则正常

    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

      6、启动服务

    nginx

    三、测试访问

      1、修改测试的主机的hosts文件

    Windows:

    C:WindowsSystem32driversetchosts

    Linux:

    vim /etc/hosts

    都是在最后一行添加IP地址和对应的主机头

    192.168.1.4 www.test.com www.test.org

    由于目前的域名都是解析不了的,所以测试环境下,可以直接修改hosts文件

       2、curl 浏览器测试访问 www.test.com

    19:39:19 root@localhost certs]#curl www.test.com -Lk
/data/testcom/index.html

    -L跟踪重定向,默认只显示301页面,不继续往后跳转,k忽略证书检查

      3、curl 浏览器访问www.test.org

    curl www.test.org -Lk
/data/testorg/index.html
    ------------------------------------------------------------------------------------------------------------------------- ------------------------------------------------------- 博客均为个人笔记,无所追求,仅供参考~~~ QQ--2382990774
  • 相关阅读:
    【转载】网站服务器运维记实:阿里云1核2G突发性能t5服务器突然变得卡顿
    【转载】C#中自定义Sort的排序规则IComparable接口
    【转载】C#将图片转换为二进制流调用
    【转载】ASP.NET MVC重写URL制作伪静态网页,URL地址以.html结尾
    Java通过反射机制修改类中的私有属性的值
    Android -- 分享功能和打开指定程序
    Java存储密码用字符数组
    java笔试题(3)
    Java中的String与常量池
    Android -- 距离感应器控制屏幕灭屏白屏
  • 原文地址:https://www.cnblogs.com/alexlv/p/14850921.html
Copyright © 2011-2022 走看看