nginx +location + https
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx +location + https相关的知识,希望对你有一定的参考价值。
wget http://nginx.org/packages/rhel/6/x86_64/RPMS/nginx-1.14.0-1.el6.ngx.x86_64.rpm (下载nginxRPM管理包)
rpm -ivh nginx-1.14.0-1.el6.ngx.x86_64.rpm (安装nginx)
开始实验:
/etc/nginx/
├── conf.d (拓展文件)
│?? ├── abc.conf
│?? ├── default.conf
│?? ├── efg.conf
│?? └── error.conf
├── fastcgi_params
├── koi-utf
├── koi-win
├── mime.types
├── modules -> ../../usr/lib64/nginx/modules
├── nginx.conf (主配文件)
├── scgi_params
├── uwsgi_params
└── win-utf
/usr/share/nginx/html/ (数据文件)
├── 50x.html
├── abc
│?? └── index.html
├── efg
│?? └── index.html
├── error
│?? └── index.html
└── index.html
**# 基于虚拟主机的两个网站**
[[email protected] conf.d]# cat abc.conf efg.conf
server {
listen 80;
server_name www.abc.com;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html/abc;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.efg.com;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html/efg;
index index.html index.htm;
}
}
[[email protected] nginx]# vim nginx.conf
include /etc/nginx/conf.d/*.conf;
charset utf-8; (如果出现web访问显示中文乱码,写上这条,重启nginx)
}访问abc和efg都没问题,但是要是没xyz的对应虚拟主机(默认显示ASCII顺序显示第一个虚拟主机)这里我们单独给他一个错误回显,看下图:
(这个错误页面怎么配置?)
[[email protected] conf.d]# vim error.conf
server {
listen 80 default; (只要找不到虚拟主机一律去error下面找)
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html/error; (配置文件)
index index.html index.htm;
}
}
location 匹配字段(针对URL的路径部分,可以与正则配合使用)
[[email protected] download]# vim /etc/nginx/conf.d/abc.conf
server {
listen 80;
server_name www.abc.com;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html/abc;
index index.html index.htm;
}
location /boke.html { (这里的意思是去root boke目录里找boke.html这个文件URL最后面不能加/)
root /usr/share/nginx/html/boke;
}
[[email protected] download]# vim /etc/nginx/conf.d/abc.conf
location /download/ { (这里去html下面找download目录!!目录里面可以有文件,页面等等URL最后必须要加/
)
root /usr/share/nginx/html;
}
}
*(怎么一定要加/或不加/呢?不人性化,这里可以使用正则来解决)
[[email protected] download]# vim /etc/nginx/conf.d/abc.conf
location ~* /download.* { (~* 不区分大小写,.*为正则匹配)
root /usr/share/nginx/html;
}
}
HTTPS
讲之前先看下公钥与私钥到底是个啥?
[1](http://blog.51cto.com/2938638/809991)
[2](http://blog.51cto.com/zhangyanfeng/1711250)实验:自签名
客户端 CA
1.创建私钥 1.有自己的私钥和证书
2.根据私钥创建证书颁发请求 .csr 2.对证书颁发请求签名
3.等CA中心授权签名通过,返回证书文件 .crt 3.将证书发送给客户端
4.根据KEY,CRT配置HTTPS站点客户端
[[email protected] keyes]# openssl genrsa 2048 > siyao.keys (创建私钥)
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.+++
e is 65537 (0x10001)
[[email protected] keyes]# chmod 400 siyao.keys (给予最小权限)
[[email protected] keyes]# openssl req -new -key siyao.keys -out siyao.csr (创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国家)
State or Province Name (full name) []:shanghai (省份)
Locality Name (eg, city) [Default City]:shanghai (市区)
Organization Name (eg, company) [Default Company Ltd]:boke (公司名)
Organizational Unit Name (eg, section) []:boke - cainiao (部门)
Common Name (eg, your name or your server‘s hostname) []:www.abc.com (要加密的RUL)
Email Address []:[email protected] (邮箱)
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []: (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []: (这里也跳过)
[[email protected] keyes]# ls
siyao.csr siyao.keys (生成一份.csr的文件)
[[email protected] keyes]# scp siyao.csr 192.168.1.115:/root (在我使用scp传输文件时,碰到了问题,因为之前做过NAT。网关上
把icmp阻塞了,并且用的策略是block return,所以返回一个目标不可到达的包给你。)
ssh: connect to host 192.168.1.115 port 22: No route to host
[[email protected] keyes]# scp siyao.csr 192.168.1.115:/root (传过去了)
The authenticity of host ‘192.168.1.115 (192.168.1.115)‘ can‘t be established.
RSA key fingerprint is ce:73:07:c4:4c:f3:2b:1b:21:c7:92:31:27:53:be:cf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.115‘ (RSA) to the list of known hosts.
[email protected]‘s password:
siyao.csr
# CA端
[[email protected] ~]# openssl genrsa -des3 -out ca.key 4096 (生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
[[email protected] ~]# ls
anaconda-ks.cfg ca.key siyao.csr
[[email protected] ~]# openssl req -new -x509 -days 365 -key ca.key -out ca.crt (自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server‘s hostname) []:www.boke.com
Email Address []:
[[email protected] ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.csr
[[email protected] ~]# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out siyao.crt (
给客户端颁发证书)
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=boke/OU=boke - cainiao/CN=www.abc.com/[email protected]
Getting CA Private Key
Enter pass phrase for ca.key:
[[email protected] ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
[[email protected] ~]# scp siyao.crt 192.168.1.3:/etc/pki/CA/keyes (回传给客户端)
The authenticity of host ‘192.168.1.3 (192.168.1.3)‘ can‘t be established.
RSA key fingerprint is bd:4d:15:99:19:a7:d7:fb:6e:0a:91:b0:b7:62:04:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.1.3‘ (RSA) to the list of known hosts.
[email protected]‘s password:
siyao.crt 100% 1590 1.6KB/s
00:00
[[email protected] ~]# ls
anaconda-ks.cfg ca.crt ca.key siyao.crt siyao.csr
客户端keyes目下要有私钥,公钥,证书
[[email protected] keyes]# ls
siyao.crt siyao.csr siyao.keys
[[email protected] keyes]# pwd
/etc/pki/CA/keyes
最后来配置HTTPS
[[email protected] conf.d]# vim abc.conf
server {
listen 443 ssl;
server_name www.abc.com;
ssl_certificate /etc/pki/CA/keyes/siyao.crt; (证书)
ssl_certificate_key /etc/pki/CA/keyes/siyao.keys; (私钥)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; (协议)
ssl_ciphers HIGH:!aNULL:!MD5;
root /usr/share/nginx/html/abc;
index index.html;
}
我这里用的是chrome的浏览器:
google浏览器看下这里
这里显示不安全,但是能看到内容,大神给讲下吧,有点迷。
-----
-----
下次分享下nginx的rewrite和反向代理和缓存。。以上是关于nginx +location + https的主要内容,如果未能解决你的问题,请参考以下文章