Nginx配置HTTPS认证

概述

什么是https？

可以阅读这篇文章：https://www.cnblogs.com/huangSir-devops/p/18806406

在生产环境中，网站的访问一般都是使用https加密的，本文主要介绍使用nginx配置https。

配置步骤主要有以下几步：

• 准备域名
• 申请域名和证书
• 配置web服务器
• 配置http跳转到https

实操配置

申请域名

可以去阿里云官方购买https://wanwang.aliyun.com/newactivity/mid-yearpromotions?

申请证书

可以通过官方的CA机构购买，我这里仅仅只是测试，则使用openssl生成证书

# 创建私钥
[root@master ~/ca]# openssl genrsa -out www.huangsir-666.com.key 2048

# 生成证书签名请求（CSR，.csr）
[root@master ~/ca]# openssl req -new -key www.huangsir-666.com.key -out www.huangsir-666.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:huangsir Tech
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:www.huangsir-666.com
Email Address []:huangsir.devops@163.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 生成.crt自签名证书
[root@master ~/ca]# openssl x509 -req -sha256 -days 365 -in www.huangsir-666.com.csr -signkey www.huangsir-666.com.key -out www.huangsir-666.com.crt
Certificate request self-signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = huangsir Tech, OU = IT, CN = www.huangsir-666.com, emailAddress = huangsir.devops@163.com
[root@master ~/ca]# ll
total 12
-rw-r--r-- 1 root root 1354 Jun  6 13:58 www.huangsir-666.com.crt # 公钥证书
-rw-r--r-- 1 root root 1074 Jun  6 13:57 www.huangsir-666.com.csr
-rw------- 1 root root 1704 Jun  6 13:55 www.huangsir-666.com.key # 私钥证书

配置nginx

将证书迁移放置到/etc/ssl/nginx目录下

[root@master /etc/nginx/conf.d]# mkdir -p /etc/ssl/nginx
[root@master ~]# mv ca/www.huangsir-666.com.crt ca/www.huangsir-666.com.key /etc/ssl/nginx/

配置nginx

[root@master ~]# cat /etc/nginx/conf.d/demo01.conf
server{
  listen 443 ssl;
  server_name www.huangsir-666.com;
  # 配置公钥证书
  ssl_certificate /etc/ssl/nginx/www.huangsir-666.com.crt;
  # 配置私钥证书
  ssl_certificate_key /etc/ssl/nginx/www.huangsir-666.com.key;

  # 推荐的 SSL 协议和加密算法（安全配置）
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;
  ssl_prefer_server_ciphers off;

  root /data00/nginx/;
  location / {
    index index.html;
  }
}

# http跳转到https
server {
 listen 80;
 server_name www.huangsir-666.com;
 return 301 https://www.huangsir-666.com$request_uri;
}

重启nginx

# 检查语法
[root@master ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

# 重启nginx
[root@master ~]# systemctl restart nginx

添加hosts解析，进行访问测试

在本地找到hosts文件，添加下列内容：

10.37.97.56     www.huangsir-666.com

访问https://www.huangsir-666.com

这里提示不安全，是因为我们的证书是自签名证书，属于是正常情况