Nginx的https服务


一.HTTPS

1.传输数据被中间人盗用,信息泄露
2.数据内容劫持,篡改

https协议实现:
对传输内容进行加密以及身份验证


二,签名证书生成

2.1 确保安装了openssl

[root@liujie ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

2.2 生成key文件

[root@liujie ~]# cd /etc/nginx/
[root@liujie nginx]# mkdir ssl_key
[root@liujie nginx]# cd ssl_key/
[root@liujie ssl_key]# openssl genrsa -idea -out jesonc.key 1024    然后输入密码  
[root@liujie ssl_key]# ll
 total 0
 -rw-r--r-- 1 root root 0 Dec 16 03:09 jesonc.key 

2.3创建签名请求的证书(CSR)

[root@liujie ssl_key]# openssl req -new -key jesonc.key -out jesonc.csr   //输入密码
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   //国家
State or Province Name (full name) []:beijing   //省
Locality Name (eg, city) [Default City]:beijing   //市
Organization Name (eg, company) [Default Company Ltd]:CN
Organizational Unit Name (eg, section) []:liujie  //部门
Common Name (eg, your name or your server's hostname) []:liujie.com   //授权(证书)网址
Email Address []:liujie961010@163.com  //邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:   //密码  妥善保管
An optional company name []:gongsimingzi  //公司名字 可不填  

2.4 根据两文件建立字签名crt证书

[root@liujie ssl_key]# openssl x509 -req -days 3650 -in jesonc..csr -signkey jesonc..key -out jesonc.crt  
//3650代表证书过期时间
//输入密码  

2.5 nginx的https服务器

配置虚拟server

[root@liujie conf.d]# vim test_https.conf

 server  
 {  
 listen       443;
 server_name  10.10.11.221 liujie.com; 
 ssl on; 
 ssl_certificate /etc/nginx/ssl_key/jesonc.crt; 
 ssl_certificate_key /etc/nginx/ssl_key/jesonc.key; 
 #ssl_certificate_key /etc/nginx/ssl_key/jesonc_nopass.key;  

 index index.html index.htm;
 location / {       
      root  /opt/app/code;  
  }
}

重启nginx 查看端口:

[root@liujie run]# netstat  -luntp  | grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2356/nginx: master  

如果出现:nginx: [error] invalid PID number “” in “/run/nginx.pid”
则:
需要先执行

nginx -c /etc/nginx/nginx.conf  
 nginx -s reload    

2.6 访问测试


三.https优化

1.激活keeplive长连接
2.设置ssl session缓存

 server  
 {  
 listen       443;
 server_name  10.10.11.221 liujie.com; 


  keepalive_timeout 100;    //nginx长连接——keepalive   默认为75s


 ssl on; 
 ssl_session_cache shared:SSL:10m;   //共享缓存 10m可存储8000-10000的session会话
 ssl_session_timeout 10m;    //10分钟session过期  


 ssl_certificate /etc/nginx/ssl_key/jesonc.crt; 
 ssl_certificate_key /etc/nginx/ssl_key/jesonc.key; 
 #ssl_certificate_key /etc/nginx/ssl_key/jesonc_nopass.key;  

 index index.html index.htm;
 location / {       
      root  /opt/app/code;  
  }
}