一、Http与Https的区别
HTTP:是互联网上应用最为广泛的一种网络协议,是一个客户端和服务器端请求和应答的标准(TCP),用于从WWW服务器传输超文本到本地浏览器的传输协议,它可以使浏览器更加高效,使网络传输减少。
HTTPS:是以安全为目标的HTTP通道,简单讲是HTTP的安全版,即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。HTTPS协议的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。
HTTPS和HTTP的区别主要如下:
1、https协议需要到ca申请证书,一般免费证书较少,因而需要一定费用。
2、http是超文本传输协议,信息是明文传输,https则是具有安全性的ssl加密传输协议。
3、http和https使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。
4、http的连接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。
二、使用openssl生成证书
openssl是目前最流行的SSL密码库工具,其提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS协议的实现。
比如生成到:/usr/local/ssl
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
生成过程: # openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /u sr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt
Generating a 2048 bit RSA private key
...............................................................................+ ++
...............+++
writing new private key to '/usr/local/ssl/nginx.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:xxxx
Organizational Unit Name (eg, section) []:xxxx
Common Name (eg, your name or your server's hostname) []:xxxx(一般是域名)
Email Address []:xxxx@xxxx.com
# ll
total 8
-rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt
-rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key
三、Nginx安装http_ssl_module模块
Nginx如果未开启SSL模块,配置Https时提示错误。
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx
nginx缺少http_ssl_module模块,编译安装的时候带上--with-http_ssl_module配置就行了。
本场景是服务器已经安装过nginx,但是未安装http_ssl_module。
1.进入到源码包,如:
cd /app/download/nginx-1.16.7
2.configure:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
3.make:
make
4.不需要执行make install,否则就覆盖安装了。
5.备份原有的nginx,如:
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak
6.然后将刚刚编译好的nginx覆盖掉原有的nginx(nginx需要停止)
cp ./objs/nginx /usr/local/nginx/sbin/
7.查看安装情况:(注:若不生效,则重装nginx)
/usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.12.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
四、nginx配置https
贴部分配置信息:
#user nobody;
worker_processes 1; #error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info; #pid logs/nginx.pid; events {
worker_connections 1024;
} http {
include mime.types;
default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on;
#tcp_nopush on; #keepalive_timeout 0;
keepalive_timeout 65; #gzip on; server {
listen 7777;
server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / {
if (!-e $request_filename) {
rewrite ^(.*)$ /index.html?s=$1 last;
break;
}
root /usr/local/chip/product/crdp_plus;
index index.html;
} location /portal-ui {
root html;
index index.html index.htm;
try_files $uri $uri/ /monitor-view/index.html;
} location /crdp/ {
proxy_pass http://127.0.0.1:8888;
}
location /swagger-ui.html {
proxy_pass http://127.0.0.1:8888;
}
location /swagger-resources {
proxy_pass http://127.0.0.1:8888;
}
location /swagger {
proxy_pass http://127.0.0.1:8888;
}
location /webjars {
proxy_pass http://127.0.0.1:8888;
}
location /v2 {
proxy_pass http://127.0.0.1:8888;
}
location /druid {
proxy_pass http://127.0.0.1:8888;
} proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade"; client_max_body_size 5m; #error_page 404 /404.html; # redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
} # proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#} # deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
} # another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias; # location / {
# root html;
# index index.html index.htm;
# }
#} # HTTPS server
#
server {
listen 8787 ssl;
server_name 192.168.13.192;
ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥
ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;
ssl_prefer_server_ciphers on; root /usr/local/ui_workspace;
index /appBaoJian/index.html; location /appBaoJian {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /appBaoJian/index.html;
} location /chhm-service/ {
proxy_pass http://192.168.13.77:8380;
} }
server {
listen 8686 ssl;
server_name 192.168.13.192;
ssl_certificate /usr/local/ssl/nginx.crt; #证书公钥
ssl_certificate_key /usr/local/ssl/nginx.key; #证书私钥
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;
ssl_prefer_server_ciphers on; root /usr/local/ui_workspace;
index /crpge/index.html; location /crpgea {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /crpge/index.html;
} location /crpgeb {
root /usr/local/ui_workspace;
index index.html index.htm;
try_files $uri $uri/ /crpge/hospital.html;
} location /crpge/v1 {
proxy_http_version 1.1;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:18888/crpge/v1;
} } }
先检验配置的对不对:
/usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
重启nginx:
/usr/local/nginx/sbin/./nginx -s reload