一、HTTPS 服务

为什么需要HTTPS?

原因：HTTP不安全

    1、传输数据被中间人盗用、信息泄露

    2、数据内容劫持、篡改

HTTPS协议的实现

    对传输内容进行加密以及身份验证

HTTPS加密校验方式

    非对称加密+对称加密

    CA签名证书

二、生成秘钥和CA证书

生产环境上可以直接从第三方机构获取CA证书，跳过这一步。

#检查是否安装openssl

openssl version

步骤一：生成key秘钥

#在/etc/nginx 目录下新建 ssl_key 目录

[root@sam ~]# mkdir /etc/nginx/ssl_key

[root@sam ~]# cd /etc/nginx/ssl_key

#新建key文件，并输入密码

[root@sam ssl_key]# openssl genrsa -idea -out sam.key 1024

Generating RSA private key, 1024 bit long modulus

....................................++++++

...................++++++

e is 65537 (0x10001)

Enter pass phrase for sam.key:

Verifying - Enter pass phrase for sam.key:

步骤二：生成证书签名请求文件（csr文件）

[root@sam ssl_key]# openssl req -new -key sam.key -out sam.csr

Enter pass phrase for sam.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:guangdong

Locality Name (eg, city) [Default City]:guangzhou

Organization Name (eg, company) [Default Company Ltd]:sam

Organizational Unit Name (eg, section) []:sam

Common Name (eg, your name or your server's hostname) []:sam

Email Address []:xxx@sam.com

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:sam

[root@sam ssl_key]# ls

sam.csr  sam.key

步骤三：生成证书签名文件（CA证书） 或 从第三方机构获取

[root@sam ssl_key]# openssl x509 -req -days 3650 -in sam.csr -signkey sam.key -out sam.crt

[root@sam ssl_key]# ls

sam.crt  sam.csr  sam.key

三、Nginx配置HTTPS

#配置语法

语法：ssl on|off;

默认值：ssl off;

上下文：http,server

语法：ssl_certificate file;

默认值：无

上下文：http,server

语法：ssl_certificate_key file;

默认值：无

上下文：http,server

配置用例

server {

    listen  443;    #https 监听端口为443

    server_name www.sam.com;

    ssl on;

    ssl_certificate /etc/nginx/ssl_key/sam.crt;

    ssl_certificate_key /etc/nginx/ssl_key/sam.key;

    location / {

        root /opt/site/sam;

        index index.html index.htm;

    }

}

如果使用自签的证书，在重启nginx的时候会提示输入key的密码，输入生成key时配置的密码即可。

生产环境中，一般通过第三方机构获取CA证书进行配置。

如从阿里云获取CA证书:

https://www.aliyun.com/product/cas?spm=5176.8142029.388261.255.23896dfadI4OJq

升级openssl 到 1.0.2

wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz

tar -zxvf openssl-1.0.2k.tar.gz

cd openssl-1.0.2k

./config --prefix=/usr/local/openssl

make && make install

mv /usr/bin/openssl /usr/bin/openssl.OFF

mv /usr/include/openssl /usr/include/openssl.OFF

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/include/openssl /usr/include/openssl

echo "/usr/local/openssl/lib" >> /etc/ld.so.conf

ldconfig -v

openssl version -a