nginx实现https

携手创作，共同成长！这是我参与「掘金日新计划 · 8 月更文挑战」的第4天，点击查看活动详情

配置HTTPS 什么是https？

HTTP：是互联网上应用最为广泛的一种网络协议，是一个客户端和服务器端请求和应答的标准（TCP），用于从WWW服务器传输超文本到本地浏览器的传输协议，它可以使浏览器更加高效，使网络传输减少。 HTTPS：全称：Hyper Text Transfer Protocol over Secure Socket Layer，则是以安全为目标的HTTP通道，简单讲是HTTP的安全版，即HTTP下加入SSL层，HTTPS的安全基础是SSL，因此加密的详细内容就需要SSL。 HTTPS协议的主要作用可以分为两种：一种是建立一个信息安全通道，来保证数据传输的安全；另一种就是确认网站的真实性。

1.配置过程

首先需要申请一个证书，可以申请一个免费的。 2.证书申请方式

阿里云申请

可以使用腾讯云/阿里云，云产品-》域名与网站-》SSL证书管理

安装nginx

[root@ c7-41 ~]# yum -y install make zlib zlib-devel gcc-c++ libtool  openssl openssl-devel wget pcre pcre-devel
[root@ c7-41 ~]# wget http://nginx.org/download/nginx-1.14.2.tar.gz
[root@ c7-41 ~]# tar -zxvf nginx-1.14.2.tar.gz
[root@ c7-41 ~]# cd nginx-1.14.2
[root@ c7-41 nginx-1.14.2]# ./configure --with-http_stub_status_module --with-http_ssl_module
[root@ c7-41 nginx-1.14.2]# make && make install

检查Nginx的SSL模块

[root@ c7-41 nginx-1.14.2]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.14.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module

准备私钥和证书

创建私钥

[root@ c7-41 nginx-1.14.2]# cd /usr/local/nginx/
[root@ c7-41 nginx]# mkdir -p ssl
[root@ c7-41 nginx]# cd ssl/
[root@ c7-41 ssl]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
...................++++++
...............................++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:   ##123456
Verifying - Enter pass phrase for server.key:   ##123456
[root@ c7-41 ssl]# ll
total 4
-rw-r--r-- 1 root root 963 Apr 26 14:55 server.key

签发证书

[root@ c7-41 ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: #123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:Wjj
Email Address []:1279087939@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ##回车
An optional company name []:  ##回车

删除私钥口令

[root@ c7-41 ssl]# cd /usr/local/nginx/ssl
[root@ c7-41 ssl]#  cp server.key server.key.ori
[root@ c7-41 ssl]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:  ##123456
writing RSA key

生成使用签名请求证书和私钥生成自签证书

[root@ c7-41 ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=BJ/CN=Wjj/emailAddress=1279087939@qq.com
Getting Private key

4.开启Nginx SSL

创建虚拟主机

[root@ c7-41 ssl]# mkdir -p /usr/local/nginx/conf/conf.d
###最简文件内容
[root@ c7-41 conf.d]# vim /usr/local/nginx/conf/nginx.conf
[root@ c7-41 conf.d]# cat /usr/local/nginx/conf/nginx.conf
user  nobody;
worker_processes  1;
events {
	worker_connections  1024;
}
http {
	include       mime.types;
	default_type  application/octet-stream;
	sendfile        on;
	keepalive_timeout  65;
	include conf.d/*.conf;

}

启动nginx

[root@ c7-41 conf]# /usr/local/nginx/sbin/nginx

创建虚拟主机子配置文件

[root@ c7-41 conf]# cd /usr/local/nginx/conf/conf.d/
[root@ c7-41 conf.d]# ls
[root@ c7-41 conf.d]# vim hack.conf
[root@ c7-41 conf.d]# cat hack.conf
server {
    listen       443 ssl;
    server_name  www.hack.com;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.crt;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;
    location / {
    #定义站点目录
        root   /usr/local/nginx/html;
        index index.php  index.html index.htm;
    }
}

重新加载配置文件

[root@ c7-41 conf.d]# /usr/local/nginx/sbin/nginx -t
[root@ c7-41 conf.d]# /usr/local/nginx/sbin/nginx -s reload

绑定windows的hosts，然后谷歌浏览器访问www.hack.com/hack.html。

10.0.0.41 www.hack.com
上传 hack.html 到/usr/local/nginx/html目录。

windows+r打开 此时，你会发现，www.hack.com/hack.html，浏…

5.rewrite跳转

以上配置有个不好的地方，如果用户忘了使用https或者443端口，那么网站将无法访问，因此需要将80端口的访问转到443端口并使用ssl加密访问。只需要增加一个server段，使用301永久重定向。

[root@ c7-41 html]# vim /usr/local/nginx/conf/conf.d/hack.conf

server {
    listen 80;
    server_name www.hack.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    listen       443 ssl;
    server_name  www.hack.com;
    ssl on;
    ssl_certificate /usr/local/nginx/ssl/server.crt;
    ssl_certificate_key /usr/local/nginx/ssl/server.key;


    location / {
    #定义站点目录
        root   /usr/local/nginx/html;
        index index.php  index.html index.htm;
    }
}

这时，浏览器访问 www.hack.com/hack.html，n… www.hack.com/hack.html，详… 下面把nginx主页面删除

[root@ c7-41 html]# rm -rf index.html
[root@ c7-41 html]# rm -rf 50x.html