Nginx高级配置-实现多域名HTTPS
作者:尹正杰
版权声明:原创作品,谢绝转载!否则将追究法律责任。
一.Nginx支持基于单个IP实现多域名的功能
Nginx支持基于单个IP实现多域名的功能,并且还支持单IP多域名的基础之上实现HTTPS,这一点Apache Httpd是不支持的,其实是基于Nginx的SNI(Server Name Indication)功能实现,SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能,其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名(Hostname),这样服务器再根据这个域名返回给客户端一个合适的证书。
其实配置基于单个IP实现多域名的HTTPS方式也就是重复单个网站的https配置相应步骤。我的实验环境是在基于Nginx配置单个网站的https(博客链接:https://www.cnblogs.com/yinzhengjie/p/12052401.html),也就是上一次试验基础之上继续后续的步骤。
二.生成自签名证书
1>.生成"mobile.yinzhengjie.org.cn"网站使用的密钥对
[root@node101.yinzhengjie.org.cn ~]# cd /yinzhengjie/softwares/nginx/certs/
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 24
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout mobile.yinzhengjie.org.cn.key -out mobile.yinzheng
jie.org.cn.csrGenerating a 4096 bit RSA private key
.......................................................................................................................++
................................................................++
writing new private key to 'mobile.yinzhengjie.org.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:mobile.yinzhengjie.org.cn #这里写网站的主机名称
Email Address []:y1053419035@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #这里不要写密码
An optional company name []:
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr #是一个公钥,即证书请求文件
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key #私钥
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
2>.签发证书
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# openssl x509 -req -days 3650 -in mobile.yinzhengjie.org.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mobile.yinzhengjie.org.cn.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=yinzhengjie/OU=devops/CN=mobile.yinzhengjie.org.cn/emailAddress=y1053419035@qq.com
Getting CA Private Key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 36
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 10:19 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 10:19 mobile.yinzhengjie.org.cn.crt #已经被自己的CA服务器签发的证书文件
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
三.Nginx证书配置
1>.查看主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes 4;
worker_cpu_affinity 00000001 00000010 00000100 00001000;
events {
worker_connections 100000;
use epoll;
accept_mutex on;
multi_accept on;
}
http {
include mime.types;
default_type text/html;
charset utf-8;
log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';
access_log logs/access_json.log my_access_json;
ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/softwares/nginx/conf.d/
total 8
-rw-r--r-- 1 root root 186 Dec 22 09:22 https.conf #这个配置文件就是我们上一篇博客配置的内容
-rw-r--r-- 1 root root 438 Dec 22 10:25 mobile.conf #这个配置是咱们新配置的域名
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/https.conf
server {
listen 80;
listen 443 ssl;
server_name www.yinzhengjie.org.cn;
location / {
root /yinzhengjie/data/web/nginx/static;
index index.html;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
2>.编辑mobile的配置文件支持https功能
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/mobile.conf
server {
listen 80;
listen 443 ssl;
server_name mobile.yinzhengjie.org.cn;
ssl_certificate /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
root /yinzhengjie/data/web/nginx/mobile;
index index.html;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
3>.创建mobile网站的测试数据
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/mobile mkdir: created directory ‘/yinzhengjie/data/web/nginx/mobile’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/web/nginx/mobile/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/mobile/index.html <!doctype html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>尹正杰的网页</title> <style type="text/css"> h1{ background-color: red; margin: 0; float: right; color: yellow; } </style> </head> <body> <h1>我的博客地址:https://www.cnblogs.com/yinzhengjie</H1> </body> </html> [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
4>.重新加载nginx的配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 9901 1 0 09:28 ? 00:00:00 nginx: master process nginx
nginx 9902 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9903 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9904 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9905 9901 0 09:28 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 9901 1 0 09:28 ? 00:00:00 nginx: master process nginx
nginx 24916 9901 4 10:41 ? 00:00:00 nginx: worker process
nginx 24917 9901 5 10:41 ? 00:00:00 nginx: worker process
nginx 24918 9901 5 10:41 ? 00:00:00 nginx: worker process
nginx 24919 9901 5 10:41 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
5>.客户端浏览器分别访问"http://mobile.yinzhengjie.org.cn/"和"https://mobile.yinzhengjie.org.cn/"
