域名访问https
我们的产品,青清水利云是微服务架构,后端接口统一从gateway转接,xxx.com:8765, 各个前端使用不用的端口,门户:9000,数据中心:9010,水建管:9005等,每个前端配置各个应用跳转地址;访问安全一直是青清水利云的隐患,但是一般https只针对80端口,这么多前端端口怎么实现一个证书访问一直没有思路,这几天分析了一下终于搞定了!
1.1 申请ssl证书
http是超文本传输协议,信息是明文传输,https则是具有安全性的ssl加密传输协议。http和https使用的是完全不同的连接方式,用的端口也不一样,http是80端口,https是443端口。
https证书也就是SSL证书,网站通过申请SSL证书将http协议升级为https加密协议搭建加密传输、身份认证的网络安全通道。选择合适的https安全证书,如何选择?
根据青清水利云特点,我们选用通配符证书,ssl证书有免费申请的,也有通过CA机构申请,我们使用中域永信CA机构,拿到手nginx下有key和pem两个文件。
1.2 主域名https
青清水利云服务使用docker发布,前端有6个nginx镜像的docker服务,现在要配置https访问,还得在服务器上装独立运行的nginx用于代理,nginx代理配置都在/etc/nginx/sites-available目录下。 首先把qingqingshuili.com.pem,qingqingshuili.com.key这两个ssl文件拷贝到/usr/local/nginx/cert/下,添加一个gateway443文件,配置如下:
server {
listen 443;
ssl on;
# Make site accessible from http://localhost/
server_name www.qingqingshuili.com;
ssl_certificate /usr/local/nginx/cert/qingqingshuili.com.pem;
ssl_certificate_key /usr/local/nginx/cert/qingqingshuili.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9000;
}
location /content/ {
proxy_pass http://127.0.0.1:9000;
expires 1h;
}
location /app/ {
proxy_pass http://127.0.0.1:9000;
expires 30d;
}
location /api/ {
proxy_pass http://127.0.0.1:8765;
}
}
这个配置是把www.qingqingshuili.com https请求,转到内部地址9000上,后面的/content/,/app/是把静态文件的访问也转到内部地址9000上,并加上失效时间(1h,30d),/api/是把后台请求转到内部8765上(gateway后台)。现在访问www.qingqingshuili.com 已经可安全访问平台了,证书有效:
为了用户使用方便,nginx中把80端口直接指向https访问地址:
server {
listen 80;
# Make site accessible from http://localhost/
server_name *.qingqingshuili.com;
if ($server_port = 80) {
return 301 https://www.qingqingshuili.com$request_uri;
}
}
1.3 前端二级域名
单这只实现了门户https访问,还有很多应用使用9000~9100端口,这些应用要通过https访问,首先要设置二级域名与之对应,先到阿里云域名映射添加二级域名,分别对应各个前端应用:
在nginx中针对每个二级域名配置https,如management.qingingshuili.com:
server {
listen 443;
ssl on;
# Make site accessible from http://localhost/
server_name management.qingqingshuili.com;
ssl_certificate /usr/local/nginx/cert/qingqingshuili.com.pem;
ssl_certificate_key /usr/local/nginx/cert/qingqingshuili.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:9005;
}
location /content/ {
proxy_pass http://127.0.0.1:9005;
expires 1h;
}
location /app/ {
proxy_pass http://127.0.0.1:9005;
expires 30d;
}
location /services/qqsl-management/api/ {
proxy_pass http://127.0.0.1:8765;
}
}
这段配置就是把二级域名https访问转到内部地址9005上,这样青清水利云各个前端都通过https访问了。
1.4 后端二级域名
依据上节配置,前端的后端访问地址都要配成相对地址,然后通过location /api/ { proxy_pass: http://127.0.0.1:8765; }这样转移到后端8765上,很是繁琐,随后又想到给后端专门配一个二级域名,并通过https访问,前端直接使用这个二级域名访问后端api,就简单了,立刻申请api二级域名:api.qingqingshuili.com,并早nginx中配置:
server {
listen 443;
ssl on;
# Make site accessible from http://localhost/
server_name api.qingqingshuili.com;
ssl_certificate /usr/local/nginx/cert/qingqingshuili.com.pem;
ssl_certificate_key /usr/local/nginx/cert/qingqingshuili.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8765;
}
location /content/ {
proxy_pass http://127.0.0.1:8765;
expires 1h;
}
location /app/ {
proxy_pass http://127.0.0.1:8765;
expires 30d;
}
location /management/ {
proxy_pass http://127.0.0.1:8765;
}
location /api/ {
proxy_pass http://127.0.0.1:8765;
}
location /services/qqsl-data-center/api/ {
proxy_pass http://127.0.0.1:8765;
}
location /services/qqsl-awareness-new/api/ {
proxy_pass http://127.0.0.1:8765;
}
location /services/qqsl-management/api/ {
proxy_pass http://127.0.0.1:8765;
}
}
前端直接使用api二级域名访问后端接口:
(function (window) {
window.__env = window.__env || {};
window.__env.SERVER_API_URL = 'https://api.qingqingshuili.com/';
module.exports = {__env};
})(this);
1.5 善后工作
最后为了安全,把前端以前使用的9000至9100端口,在阿里云ecs安全组里,把外网端口9000至9100都屏蔽掉,用户就只能通过www.qingqingshuili.com/ 访问青清水利云了,完美!
