zoukankan      html  css  js  c++  java

  • Nginx实现多域名的Htpps

    单域名实现HTTPS:

    #创建自签名证书
    [root@centos8-1 ~]$cd /apps/nginx/
    [root@centos8-1 nginx]$mkdir certs
    [root@centos8-1 nginx]$cd certs/
    [root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
    [root@centos8-1 certs]$ll
    total 8
    -rw-r--r-- 1 root root 2033 Sep 28 11:33 ca.crt
    -rw------- 1 root root 3272 Sep 28 11:31 ca.key

    #自制Key和csr文件
    [root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.tianze.org.key -out www.tianze.org.csr
    [root@centos8-1 certs]$ll
    total 16
    -rw-r--r-- 1 root root 2033 Sep 28 11:33 ca.crt
    -rw------- 1 root root 3272 Sep 28 11:31 ca.key
    -rw-r--r-- 1 root root 1700 Sep 28 11:37 www.tianze.org.csr
    -rw------- 1 root root 3272 Sep 28 11:36 www.tianze.org.key

    #签发证书
    [root@centos8-1 certs]$openssl x509 -req -days 3650 -in www.tianze.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.tianze.org.crt

    #验证证书内容
    [root@centos8-1 certs]$openssl x509 -in www.tianze.org.crt -noout -text
    Certificate:
    Data:
    Version: 1 (0x0)
    Serial Number:
    07:e9:d0:2e:92:e1:30:e1:79:3c:27:2a:47:bd:91:2e:85:f7:44:93
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C = CN, ST = beijing, L = beijing, O = tianze, OU = it, CN = ca.tianze.org
    Validity
    Not Before: Sep 28 03:38:39 2020 GMT
    Not After : Sep 26 03:38:39 2030 GMT
    Subject: C = CN, ST = Beijing, L = beijing, O = tianze, OU = it, CN = www.tianze.org
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption

    [root@centos8-1 conf.d]$vim pc.conf

    server {
    listen 80;
    listen 443 ssl; ##表示开启ssl
    ssl_certificate /apps/nginx/certs/www.tianze.org.crt; ##指向包含当前虚拟主机和CA的两个证书信息的文件,一般是Crt文件
    ssl_certificate_key /apps/nginx/certs/www.tianze.org.key; ##当前虚拟主机使用的私钥文件,一般是key文件
    ssl_session_cache shared:sslcache:20m; ##配置ssl缓存,在各个worker之间使用一个共享的缓存
    ssl_session_timeout 10m; ##缓存超时时长,默认5m
    root /data/nginx/html/pc;
    server_name www.tianze.org;
    location / {
    root /data/nginx/html/pc;
    }
    }


    [root@centos8-1 conf.d]$nginx -s reload   #重新加载nginx测试页面

     多域名实现HTTPS:


    Nginx支持基于单个IP实现多域名的功能,并且还支持单IP多域名的基础上实现HTTPS,其实是基于Nginx的SNI(Server Name Indication)功能实现,SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能,其具体功能是客户端在连接到服务器建立SSL连接之前发送访问站点的域名,这样服务器跟根据这个域名返回给客户端一个合适的证书。

    [root@centos8-1 conf.d]$nginx -V
    nginx version: zhanginx/1.1999
    built by gcc 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)
    built with OpenSSL 1.1.1c FIPS 28 May 2019
    TLS SNI support enabled
    configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module

    [root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout m.tianze.org.key -out m.tianze.org.csr
    Generating a RSA private key
    ............................................................++++
    .......................................................................................................................................................................................................................................................................................................................................................................................++++
    writing new private key to 'm.tianze.org.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Beijing
    Organization Name (eg, company) [Default Company Ltd]:tianze
    Organizational Unit Name (eg, section) []:it
    Common Name (eg, your name or your server's hostname) []:ca.tianze.org
    Email Address []:

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

    [root@centos8-1 certs]$openssl x509 -req -days 3650 -in m.tianze.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out m.tianze.org.crt
    Signature ok
    subject=C = CN, ST = Beijing, L = Beijing, O = tianze, OU = it, CN = ca.tianze.org
    Getting CA Private Key

     [root@centos8-1 certs]$openssl x509 -in m.tianze.org.crt -noout -text

    [root@centos8-1 conf.d]$vim mobile.conf 

    server {
    listen 80;
    server_name m.tianze.org;
    listen 443 ssl;
    ssl_certificate /apps/nginx/certs/m.tianze.org.crt;
    ssl_certificate_key /apps/nginx/certs/m.tianze.org.key;
    ssl_session_cache shared:sslcache:20m;
    ssl_session_timeout 10m;
    location / {
    root /data/nginx/html/mobile;
    }
    }

    [root@centos8-1 conf.d]$nginx -s reload
  • 相关阅读:
    boost::asio在VS2008下的编译错误
    Java集合框架——接口
    ACM POJ 3981 字符串替换(简单题)
    ACM HDU 1042 N!(高精度计算阶乘)
    OneTwoThree (Uva)
    ACM POJ 3979 分数加减法(水题)
    ACM HDU 4004 The Frog's Games(2011ACM大连赛区第四题)
    Hexadecimal View (2011ACM亚洲大连赛区现场赛D题)
    ACM HDU 4002 Find the maximum(2011年大连赛区网络赛第二题)
    ACM HDU 4001 To Miss Our Children Time (2011ACM大连赛区网络赛)
  • 原文地址:https://www.cnblogs.com/tz66/p/13744184.html
Copyright © 2011-2022 走看看