一.HTTPS
1.传输数据被中间人盗用,信息泄露
2.数据内容劫持,篡改
https协议实现:
对传输内容进行加密以及身份验证
二,签名证书生成
2.1 确保安装了openssl
[root@liujie ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
2.2 生成key文件
[root@liujie ~]# cd /etc/nginx/
[root@liujie nginx]# mkdir ssl_key
[root@liujie nginx]# cd ssl_key/
[root@liujie ssl_key]# openssl genrsa -idea -out jesonc.key 1024 然后输入密码
[root@liujie ssl_key]# ll
total 0
-rw-r--r-- 1 root root 0 Dec 16 03:09 jesonc.key
2.3创建签名请求的证书(CSR)
[root@liujie ssl_key]# openssl req -new -key jesonc.key -out jesonc.csr //输入密码
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN //国家
State or Province Name (full name) []:beijing //省
Locality Name (eg, city) [Default City]:beijing //市
Organization Name (eg, company) [Default Company Ltd]:CN
Organizational Unit Name (eg, section) []:liujie //部门
Common Name (eg, your name or your server's hostname) []:liujie.com //授权(证书)网址
Email Address []:liujie961010@163.com //邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: //密码 妥善保管
An optional company name []:gongsimingzi //公司名字 可不填
2.4 根据两文件建立字签名crt证书
[root@liujie ssl_key]# openssl x509 -req -days 3650 -in jesonc..csr -signkey jesonc..key -out jesonc.crt
//3650代表证书过期时间
//输入密码
2.5 nginx的https服务器
配置虚拟server
[root@liujie conf.d]# vim test_https.conf
server
{
listen 443;
server_name 10.10.11.221 liujie.com;
ssl on;
ssl_certificate /etc/nginx/ssl_key/jesonc.crt;
ssl_certificate_key /etc/nginx/ssl_key/jesonc.key;
#ssl_certificate_key /etc/nginx/ssl_key/jesonc_nopass.key;
index index.html index.htm;
location / {
root /opt/app/code;
}
}
重启nginx 查看端口:
[root@liujie run]# netstat -luntp | grep 443
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2356/nginx: master
如果出现:nginx: [error] invalid PID number “” in “/run/nginx.pid”
则:
需要先执行
nginx -c /etc/nginx/nginx.conf
nginx -s reload
2.6 访问测试
三.https优化
1.激活keeplive长连接
2.设置ssl session缓存
server
{
listen 443;
server_name 10.10.11.221 liujie.com;
keepalive_timeout 100; //nginx长连接——keepalive 默认为75s
ssl on;
ssl_session_cache shared:SSL:10m; //共享缓存 10m可存储8000-10000的session会话
ssl_session_timeout 10m; //10分钟session过期
ssl_certificate /etc/nginx/ssl_key/jesonc.crt;
ssl_certificate_key /etc/nginx/ssl_key/jesonc.key;
#ssl_certificate_key /etc/nginx/ssl_key/jesonc_nopass.key;
index index.html index.htm;
location / {
root /opt/app/code;
}
}