Nginx https配置

发表于   |   分类于

什么是 SSL 证书,什么是 HTTPS

SSL 证书是一种数字证书,它使用 Secure Socket Layer 协议在浏览器和 Web 服务器之间建立一条安全通道,从而实现:

1.数据信息在客户端和服务器之间的加密传输,保证双方传递信息的安全性,不可被第三方窃听;

2.用户可以通过服务器证书验证他所访问的网站是否真实可靠。
(via百度百科)

HTTPS 是以安全为目标的 HTTP 通道,即 HTTP 下加入 SSL 加密层。HTTPS 不同于 HTTP 的端口,HTTP默认端口为80,HTTPS默认端口为443.

什么网站需要使用SSL证书

1、购物交易类网站
不用多说,网上银行、支付宝、Paypal等肯定会全程加密以保护你的信息安全。

2、注册与登陆
一些大的网站,比如电子邮箱,注册会员或者登陆的时候,会专门通过SSL通道,保证密码安全不被窃取。

3、某些在线代理
这个。。。嗯哼,就不说了。

4、装B
比如我……

自行颁发不受浏览器信任的SSL证书

1
2
3
4
5
6
7
8
#生成一个RSA密钥,要求输入密码
openssl genrsa -des3 -out test.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
............................................++++++
e is 65537 (0x10001)
Enter pass phrase for test.key:
Verifying - Enter pass phrase for test.key:
1
2
3
4
# 拷贝一个不需要输入密码的密钥文件,输入之前设置的密钥密码
openssl rsa -in test.key -out test_nopass.key
Enter pass phrase for test.key:
writing RSA key
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#生成一个证书请求
openssl req -new -key test.key -out test.csr
Enter pass phrase for test.key:
writing RSA key
[root@web1 conf]# openssl req -new -key test.key -out test.csr
Enter pass phrase for test.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:Guangdong #省份
Locality Name (eg, city) [Default City]:Shenzhen #城市
Organization Name (eg, company) [Default Company Ltd]:Shenzhen test LTD #公司名称
Organizational Unit Name (eg, section) []:test #单位名称
Common Name (eg, your name or your server's hostname) []:*.test.com #域名
Email Address []:admin@test.com #这里必须输入属于上面域名的邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:  #直接回车
An optional company name []: #直接回车
1
2
3
4
5
6
#自己签发证书
openssl x509 -req -days 365 -in test.csr -signkey test.key -out test.crt
Signature ok
subject=/C=CN/ST=Guangdong/L=Shenzhen/O=Shenzhen test LTD/OU=test/CN=*.test.com/emailAddress=admin@test.com
Getting Private key
Enter pass phrase for test.key:

nginx 配置 https

1
2
3
4
5
6
7
8
9
10
server {
	server_name dev.ziztour.com;
	listen 443;
	root html;
	ssl on;
	ssl_certificate ziztour.com.crt;
	ssl_certificate_key ziztour.com_nopass.key;
	ssl_session_cache    shared:SSL:10m;
        ssl_session_timeout  10m;
}

如果http服务和https提供一样的服务,可以强制http跳转到https

1
2
3
4
5
server {
	listen 80;
	server_name test.com;
	rewrite ^(.*)$ https://$server_name$1 permanent;
}

参考:
http://www.lovelucy.info/nginx-ssl-certificate-https-website.html
http://tengine.taobao.org/nginx_docs/cn/docs/http/configuring_https_servers.html

坚持原创技术分享,您的支持将鼓励我继续创作!