10背景: A服务器(10.0.100.106)作为nginx代理服务器
B服务器(10.0.100.133)作为后端真实服务器
HTTPS配置场景
秘钥生成操作步骤
1.生成key密钥
2.生成证书签名请求文件(csr文件)
3.生成证书签名文件(CA文件)
1.检查当前环境
//openssl必须是1.0.2 [root@10.0.100.133~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 //nginx必须有ssl模块 [root@10.0.100.133 ~]# nginx -V --with-http_ssl_module [root@10.0.100.133 ~]# mkdir /usr/local/nginx/conf/ssl -p [root@10.0.100.133 ~]# cd //usr/local/nginx/conf/ssl
2.创建私钥
[root@10.0.100.133 ssl]# openssl genrsa -idea -out server.key 2048 Generating RSA private key, 2048 bit long modulus .....+++ //记住配置密码, 我这里是1234 Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
3.生成使用签名请求证书和私钥生成自签证书
[root@10.0.100.133 ssl]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:SZ Locality Name (eg, city) [Default City]:SZ Organization Name (eg, company) [Default Company Ltd]:edu Organizational Unit Name (eg, section) []:SA Common Name (eg, your name or your server's hostname) []:xuli Email Address []:xuli@foxmail.com
4.后段nginx(10.0.100.133)访问的配置文件
后端nginx配置 server { listen 443; server_name localhost; ssl off; #这个一定要写,否则访问https时会出现报错:The plain HTTP request was sent to HTTPS port index index.html index.htm index.php; #ssl_session_cache share:SSL:10m; ssl_session_timeout 10m; ssl_certificate /usr/local/nginx/conf/ssl/server.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { #root /usr/share/nginx/html; index dashboard index; proxy_pass http://127.0.0.1:8080/; #本地的tomcat为8080端口,当访问本地的80端口 proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
访问10.0.100.133:443
5.将密钥传给前端服务器
前端nginx的配置 server { listen 443 ssl; server_name www.xxx.cn; #ssl off; access_log logs/ssl-access.log; error_log logs/ssl-error.log; ssl_certificate /usr/local/nginx/conf/ssl/server.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/server.key; ssl_session_timeout 5m; location / { proxy_pass http://443; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } } upstream 443 { ip_hash; server 10.0.100.133:443 max_fails=3 fail_timeout=30s; } server { listen 3116; server_name www.xxx.cn; index index.html index.php index.htm; access_log logs/ssl-access.log; error_log logs/ssl-error.log; rewrite ^(.*)$ https://$server_name$1 redirect; }
6.通过域名访问成功