nginx -实现同一主机IP地址多个加密主机头

Posted 吕正元

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx -实现同一主机IP地址多个加密主机头相关的知识,希望对你有一定的参考价值。

  测试环境下,采用自生成的证书和私钥

一、生成证书和私钥

  1、进入certs这个目录,在这个目录下使用make 可以直接生成证书

cd /etc/ssl/certs

  2、修改Makefile文件,去掉里面生成证书自动加密

vim Makefile 

  %.key:
    umask 77 ; \\
    /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

修改为:

%.key:
        umask 77 ; \\
        /usr/bin/openssl genrsa  $(KEYLEN) > $@   

  3、生成www.test.com 的证书和私钥

[18:55:06 root@localhost certs]#make test.com.crt
umask 77 ; \\
/usr/bin/openssl genrsa  2048 > test.com.key
Generating RSA private key, 2048 bit long modulus
.............................+++
...........................................................................................................................................................................+++
e is 65537 (0x10001)
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key test.com.key -x509 -days 365 -out test.com.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \'.\', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai                 
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:sh
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your server\'s hostname) []:www.test.com
Email Address []:

  4、生成www.test.org的证书和私钥文件

[18:58:06 root@localhost certs]#make test.org.crt
umask 77 ; \\
/usr/bin/openssl genrsa  2048 > test.org.key
Generating RSA private key, 2048 bit long modulus
....................................................................+++
...........................+++
e is 65537 (0x10001)
umask 77 ; \\
/usr/bin/openssl req -utf8 -new -key test.org.key -x509 -days 365 -out test.org.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter \'.\', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:sh
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:www.test.org
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your server\'s hostname) []:www.test.org  
Email Address []:

只有标红的地方重要,其他地方可以随便填

  5、在存放nginx配置文件的家目录下,创建用于存放证书和私钥的文件夹

mkdir /etc/nginx/ssl/

  6、将刚刚生成的私钥文件和证书移动到ssl文件夹下

mv test.* /etc/nginx/ssl/

  7、将证书文件和私钥的权限设置为600

chmod 600 /etc/nginx/ssl/*

二、修改nginx配置文件

  1、创建用于存放主页的文件夹

mkdir /data/test{com,org} -pv

  2、生成测试页面

echo /data/testcom/index.html > /data/testcom/index.html
echo /data/testorg/index.html > /data/testorg/index.html

  3、使用虚拟主机,修改虚拟主机配置文件

vim /etc/nginx/conf.d/test.conf

(这里的名字叫什么无所谓,后缀是conf就行(没有这个文件就新建))

server {
        listen 443 ssl;
    listen 80;
    server_name www.test.com;
#指定家目录所在位置
    root /data/testcom/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.com.crt;
    ssl_certificate_key /etc/nginx/ssl/test.com.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.com.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.com/$1 redirect;
      }
}
#另外一个主机
server {
        listen 443 ssl;
    listen 80;
    server_name www.test.org;
#指定家目录所在位置
    root /data/testorg/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.org.crt;
    ssl_certificate_key /etc/nginx/ssl/test.org.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.org.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.org/$1 redirect;
      }
}

  4、检查语法是否有错误

[19:32:47 root@localhost data]#nginx -t

  5、返回如下则正常

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

  6、启动服务

nginx

三、测试访问

  1、修改测试的主机的hosts文件

Windows:

C:\\Windows\\System32\\drivers\\etc\\hosts

Linux:

vim /etc/hosts

都是在最后一行添加IP地址和对应的主机头

192.168.1.4 www.test.com www.test.org
                       

由于目前的域名都是解析不了的,所以测试环境下,可以直接修改hosts文件

   2、curl 浏览器测试访问 www.test.com

19:39:19 root@localhost certs]#curl www.test.com -Lk
/data/testcom/index.html

-L跟踪重定向,默认只显示301页面,不继续往后跳转,k忽略证书检查

  3、curl 浏览器访问www.test.org

curl www.test.org -Lk
/data/testorg/index.html

 

以上是关于nginx -实现同一主机IP地址多个加密主机头的主要内容,如果未能解决你的问题,请参考以下文章

nginx简介

Nginx 学习导航

Nginx 学习导航

nginx

Nginx 学习导航

nginx