zoukankan      html  css  js  c++  java
  • 第一章 Nginx常用HTTPS配置

    一、上传证书

    #1.新建证书存放目录
    [root@mjndev conf.d]# mkdir /etc/ssl/private/dm -p
    
    #2.上传证书
    [root@mjndev conf.d]# cd /etc/ssl/private/dm
    [root@mjndev dm]# rz
    [root@mjndev dm]# ll
    total 24
    -rw-r--r-- 1 root root 23922 Jul  5 10:09 rbcas.com.cn.zip
    

    二、解压证书

    [root@mjndev dm]# unzip rbcas.com.cn.zip
    [root@mjndev dm]# ll
    total 72
    -rw-r--r-- 1 root root  4674 Mar 22 11:25 3972117__rbcas.com.cn_apache.zip
    -rw-r--r-- 1 root root  5151 Mar 22 11:25 3972117__rbcas.com.cn_iis.zip
    -rw-r--r-- 1 root root  3955 Mar 22 11:25 3972117__rbcas.com.cn_jks.zip
    -rw-r--r-- 1 root root  4283 Mar 22 11:25 3972117__rbcas.com.cn_nginx.zip
    -rw-r--r-- 1 root root  5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
    -rw-r--r-- 1 root root 23922 Jul  5 10:09 rbcas.com.cn.zip
    

    三、Nginx类型证书

    1.解压Nginx证书

    #1.解压nginx类型证书
    [root@mjndev dm]# unzip 3972117__rbcas.com.cn_nginx.zip
    Archive:  3972117__rbcas.com.cn_nginx.zip
    Aliyun Certificate Download
      inflating: 3972117__rbcas.com.cn.pem  
      inflating: 3972117__rbcas.com.cn.key  
    
    #2.查看证书
    [root@mjndev dm]# ll
    total 72
    -rw-r--r-- 1 root root  4283 Mar 22 11:25 3972117__rbcas.com.cn_nginx.zip
    -rw-r--r-- 1 root root  1679 Mar 22 11:25 3972117__rbcas.com.cn.key
    -rw-r--r-- 1 root root  4103 Mar 22 11:25 3972117__rbcas.com.cn.pem  
    

    2.配置Nginx前后端不分离

    #1.进入nginx配置目录
    [root@mjndev dm]# cd /etc/nginx/conf.d/
    
    #2.编写nginx站点文件
    [root@mjndev conf.d]# vim dmtest.rbcas.com.cn.conf
    upstream dmtest.rbcas.com.cn {
            server localhost:18080;
    }
    server {
            listen 80;
            server_name dmtest.rbcas.com.cn;
            return 301 https://$http_host$request_uri;
    }
    server {
            listen 443 ssl;
            server_name dmtest.rbcas.com.cn;
    
            ssl_certificate      /etc/ssl/private/dm/3972117__rbcas.com.cn.pem;
            ssl_certificate_key  /etc/ssl/private/dm/3972117__rbcas.com.cn.key;
    
            ssl_session_timeout 5m;
            ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
            ssl_prefer_server_ciphers on;
    
            access_log /data/logs/dmtest.rbcas.com.cn_access.log;
            error_log  /data/logs/dmtest.rbcas.com.cn_error.log;
    
            location /api {
                    proxy_headers_hash_max_size 51200;
                    proxy_headers_hash_bucket_size 6400;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
    
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $host;
                    proxy_redirect off;
    
                    proxy_pass http://dmtest.rbcas.com.cn;
            }
    
            location / {
               root /data/webproject/dm/dist;
            }
    
            location /dm {
               alias /data/webproject/dm/dist;
            }
    
    }
    
    #3.配置站点日志文件
    [root@mjndev conf.d]# mkdir /data/logs -p
    
    #4.检查nginx配置
    [root@mjndev conf.d]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    
    #5.重载nginx
    [root@mjndev conf.d]# nginx -s reload
    

    四、Tomcat类型证书

    1.解压Tomcat证书

    #1.解压tomcat类型证书
    [root@mjndev ~]# cd /etc/ssl/private/dm
    [root@mjndev dm]# unzip 3972117__rbcas.com.cn_tomcat.zip
    
    #2.看证书
    [root@mjndev dm]# ll
    total 80
    -rw-r--r-- 1 root root  4834 Mar 22 11:25 3972117__rbcas.com.cn.pfx
    -rw-r--r-- 1 root root  5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
    -rw-r--r-- 1 root root     8 Mar 22 11:25 pfx-password.txt
    

    2.转化pfx证书

    #1.生成证书crt和key
    [root@mjndev dm]# openssl pkcs12 -in 3972117__rbcas.com.cn.pfx -clcerts -nokeys -out dmtest.rbcas.com.cn.crt
    Enter Import Password: ******			#pfx-password.txt的密码
    MAC verified OK
    
    [root@mjndev dm]# openssl pkcs12 -in 3972117__rbcas.com.cn.pfx  -nocerts -nodes -out dmtest.rbcas.com.cn.rsa
    Enter Import Password: ******			#pfx-password.txt的密码
    MAC verified OK
    
    #2.查看所在目录以生成证书
    [root@mjndev dm]# ll
    total 80
    -rw-r--r-- 1 root root  4834 Mar 22 11:25 3972117__rbcas.com.cn.pfx
    -rw-r--r-- 1 root root  5151 Mar 22 11:25 3972117__rbcas.com.cn_tomcat.zip
    -rw-r--r-- 1 root root  2744 Jul  5 19:16 dmtest.rbcas.com.cn.crt
    -rw-r--r-- 1 root root  1850 Jul  5 19:17 dmtest.rbcas.com.cn.rsa
    -rw-r--r-- 1 root root     8 Mar 22 11:25 pfx-password.txt
    -rw-r--r-- 1 root root 23922 Jul  5 10:09 rbcas.com.cn.zip
    
    #3.验证证书准确性
    [root@mjndev dm]# openssl s_server -www -accept 443 -cert ./dmtest.rbcas.com.cn.crt -key ./dmtest.rbcas.com.cn.rsa 
    

    3.配置Nginx

    [root@mjndev dm]# vim /etc/nginx/conf.d/dmtest.rbcas.com.cn.conf
    upstream dmtest.rbcas.com.cn {
            server localhost:18080;
    }
    server {
            listen 80;
            server_name dmtest.rbcas.com.cn;
            return 301 https://$http_host$request_uri;
    }
    server {
            listen 443 ssl;
            server_name dmtest.rbcas.com.cn;
    
            ssl_certificate      /etc/ssl/private/dm/dmtest.rbcas.com.cn.crt;
            ssl_certificate_key  /etc/ssl/private/dm/dmtest.rbcas.com.cn.rsa;
    
            ssl_session_timeout 5m;
            ssl_protocols TLSV1 TLSv1.1 TLSv1.2;
            ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
            ssl_prefer_server_ciphers on;
    
            access_log /data/logs/dmtest.rbcas.com.cn_access.log;
            error_log  /data/logs/dmtest.rbcas.com.cn_error.log;
    
            location /api {
                    proxy_headers_hash_max_size 51200;
                    proxy_headers_hash_bucket_size 6400;
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
    
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header Host $host;
                    proxy_redirect off;
    
                    proxy_pass http://dmtest.rbcas.com.cn;
            }
    
            location / {
               root /data/webproject/dm/dist;
            }
    
            location /dm {
               alias /data/webproject/dm/dist;
            }
    }
    
    #3.配置站点日志文件
    [root@mjndev dm]# mkdir /data/logs -p
    
    #4.检查nginx配置
    [root@mjndev dm]# nginx -t
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful
    
    #5.重载nginx
    [root@mjndev dm]# nginx -s reload
    

    五、访问测试

    打开浏览器,输入配置nginx时的域名自动跳转到HTTPS,查看证书是否过期即可。
    
  • 相关阅读:
    Tensorflow2(预课程)---2.1、多层感知器-层方式
    pandas.Series转numpy的n维数组
    numpy将多维数组降维成一维
    《仙路争锋》读书感悟---200910(为逆所以顺,为玩所以勤,为生所以死)
    legend3---解决bootstrap栅格系统自动图片高度不齐问题
    python机器学习库numpy---15、模拟e^x的麦克劳林展开式
    400G 光模块的价格
    HTML编辑器 实现ctrl+v粘贴图片并上传、word粘贴带图片
    网页编辑器 实现ctrl+v粘贴图片并上传、word粘贴带图片
    富文本编辑器 实现ctrl+v粘贴图片并上传、word粘贴带图片
  • 原文地址:https://www.cnblogs.com/jhno1/p/14980479.html
Copyright © 2011-2022 走看看