zoukankan      html  css  js  c++  java
  • 企业网站的SSL签证生产测试以及https配置方法

    这一次要做企业网站怎么获得安全的数字证书,没有数字证书的话,在浏览器访问网站的时候会跳出不安全界面,而且钓鱼网站也会让用户进去个假网站,一般企业可以去阿里云去买数字证书,买好之后浏览器便会加载这个数字证书,用户便能安全访问。若出现钓鱼网站,浏览器会检测出来,提醒用户这是个钓鱼网站,不要进入。接下来做一个测试环境的测试,在测试环境下自己可以CA机构,颁发CA证书,操作步骤如下
    环境准备:源码安装好了nginx,且已经设置好了nginxctl的控制命令,不知道的可以看之前的文章,做一个脚本,就不需要用绝对路径的方式去启动nginx命令
    [root@nginx /]# mkdir certificate #创造一个存放证书的目录
    [root@nginx /]# cd certificate/
    [root@nginx /]# yum -y install openssl openssl-devel #安装ssl的包,这样就可以生成
    证书
    [root@nginx certificate]# openssl req #申请颁发数字证书
    > -newkey rsa:4096 -nodes -sha256 -keyout ca.key
    > -x509 -days 365 -out ca.crt
    Generating a 4096 bit RSA private key
    ...............................................++
    ..............++
    writing new private key to 'ca.key'
    -----
    You are about to be asked to enter information that will
    be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:GD
    Locality Name (eg, city) [Default City]:SZ
    Organization Name (eg, company) [Default Company Ltd]:QF
    Organizational Unit Name (eg, section) []:pycloud
    Common Name (eg, your name or your server's hostname) []:www.qffcc.com
    Email Address []:1442693983@qq.com
    [root@nginx certificate]#openssl req #CA颁发证书,CA机构就会把用户申请的信息加载到存放数字证书的数据库里,跟上述步骤一样就不做演示
    > -newkey rsa:4096 -nodes -sha256 -keyout qffcc.com.key
    > -out qffcc.com.csr
    [root@nginx certificate]#openssl x509 -req -days 365 -in qffcc.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out qffcc.com.crt#把签好的证书和密钥发送给浏览器,出现以下结果代表成功
    Signature ok
    subject=/C=CN/ST=GD/L=SZ/O=QF/OU=qfcloud/CN=www.qffcc.vom/emailAddress=1442693983@qq.com
    Getting CA Private Key
    [root@nginx certificate]# ls #下面这些文件就是获得证书之后得到的,主要需要qffcc.com.crt qffcc.com.key放到nginx的配置文件里
    ca.crt ca.srl -out qffcc.com.csr -x509
    ca.key -newkey qffcc.com.crt qffcc.com.key
    [root@nginx opt] cd nginx-1.16.1/ #cd到你解压的nginx文件夹
    [root@nginx nginx-1.16.1]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module#重新编译,加载第三方模块
    [root@nginx nginx-1.16.1]# make
    [root@nginx nginx-1.16.1]# echo $? #是否安装成功,0的话代表成功
    0
    [root@nginx nginx-1.16.1]# rm -rf /usr/local/nginx/sbin/nginx #因为已经重新编译好了,所以要把新的替换上去,先删掉之前的nginx命令
    [root@nginx nginx-1.16.1]# cp objs/nginx /usr/local/nginx/sbin/nginx #替换原来的nginx,换成加载了ssl模块的nginx命令
    [root@nginx nginx-1.16.1]# ps aux|grep nginx #检查nginx服务是否正在运行
    root 93196 0.0 0.1 45992 1136 ? Ss 07:06 0:00 nginx: master process /usr/local/nginx/sbin/nginx
    nginx 93197 0.0 0.6 50324 6032 ? S 07:06 0:00 nginx: worker process
    nginx 93198 0.0 0.6 50324 6032 ? S 07:06 0:00 nginx: worker process
    root 106162 0.0 0.0 112708 984 pts/0 R+ 15:14 0:00 grep --color=auto nginx
    [root@nginx nginx-1.16.1]# kill -9 93196 #因为要重新加载,所以要把之前的全部删去
    [root@nginx nginx-1.16.1]# kill -9 93197
    [root@nginx nginx-1.16.1]# kill -9 93198
    [root@nginx nginx-1.16.1]# ps aux|grep nginx #以下代表删除干净
    root 106692 0.0 0.0 112708 984 pts/0 R+ 15:14 0:00 grep --color=auto nginx
    [root@nginx nginx-1.16.1]# mkdir /usr/local/nginx/httpskey
    [root@nginx nginx-1.16.1]# cp /certificate/qffcc.com.* /usr/local/nginx/httpskey/ #把颁发的证书拷到nginx目录,方便配置文件加载
    [root@nginx nginx-1.16.1]# vi /usr/local/nginx/conf/nginx.conf #修改配置文件
    http {
    include mime.types;
    default_type application/octet-stream;
    log_format main '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for"';
    access_log logs/access.log main;
    sendfile on;
    keepalive_timeout 65;
    include /usr/local/nginx/conf.d/*.conf; #主要是加这个地方,把配置文件加载进去,所以要建立conf.d的这个文件夹
    }
    [root@nginx nginx-1.16.1]#mkdir /usr/local/nginx/conf.d
    [root@nginx nginx-1.16.1]#vi /usr/local/nginx/conf.d/qffccjump.conf #创建的第一个配置文件,内容如下,主要用于跳转,由80端口跳转443端口
    server {
    listen 80;
    server_name www.qffcc.com;

                                    location = / {
                                                rewrite ^(.*) https://www.qffcc.com/$1 permanent;
                                                        }
    
                                     location / {
                                                  rewrite ^(.*) https://www.qffcc.com/$1 permanent;
                                                    }
                                                    }
              
                  [root@nginx nginx-1.16.1]#vi /usr/local/nginx/conf.d/qffcc.com.conf 
                                            server {
                                                        listen 443;
                                                    server_name www.qffcc.com;  #需要修改成你申请的域名
    
                                                ssl on;
                                                      ssl_certificate /usr/local/nginx/httpskey/qffcc.com.crt;证书地址
                                                      ssl_certificate_key /usr/local/nginx/httpskey/qffcc.com.key;#密钥地址
                                                      ssl_session_timeout 5m;
                                                      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
                                                      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                                                      ssl_prefer_server_ciphers on;
    
                                                location / {
                                                        root    /usr/local/nginx/html;#html目录
                                                        index   index.php index.html index.htm;
                                                        }
    
                                                  location ~ .php$ {
                                                        root            /usr/local/nginx/html;
                                                        fastcgi_pass    127.0.0.1:9000;#设置回环地址,不是nginx服务器的地址
                                                        fastcgi_index   index.php;
                                                        fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;
                                                         include                 fastcgi_params;
                                                        }
                                                        }
                                        [root@nginx conf]# nginxctl start #启动nginx服务
                                        #上面就已经全部配置完成了,这时候你需要修改mac或者你windows的hosts配置文件,设置域名解析,把虚拟机的nginx服务器的ip 和域名对应上,mac的是在/etc/hosts里。由于它设置了权限,所以需要使用授权,sudo vim /etc/hosts 增加192.168.86.138  www.qffcc.com 保存退出之后,使用本机的浏览器去访问这个www.qffcc.com这个域名就可以访问到了,不过会提示安全问题,强行还是可以进去的。
  • 相关阅读:
    spring详解(五)——事物管理
    spring详解(四)——JDBC
    spring详解(三)——AOP
    Spring详解(二)
    Spring详解(一)
    springMVC(九)——restful风格和异常处理
    Linux 文件权限
    如何使用Git从GitHub上下载项目
    Spring(1)
    SpringMvc(4)
  • 原文地址:https://www.cnblogs.com/bobo-wq/p/11515600.html
Copyright © 2011-2022 走看看