nginx配置https及url重写
- 一、https简介
- 1、安全访问
- 2、数据的安全性
- 3、数据的完整性
- 3、身份的真实性
- 二、配置https网站
- 1、环境规划
- 2、部署私有CA
- 3、部署https的虚拟主机
- 三、URL重写
- 1、语法
- 四、location的写法
- 1、语法
- 2、location = uri {}
- 3、location ~ uri { }
- 4、location ~* uri { }
- 5、location ^~ uri { }
- 5、location的优先级
- 五、nginx处理php页面
- 1、安装php-fpm
- 2、配置nginx调用php
- 3、测试访问php页面
一、https简介
https 密文
1、安全访问
数据的安全性,加密/解密
数据的完整性
身份的真实性
2、数据的安全性
发送方加密数据,接收方解密数据
-
对称加密算法
加密、解密时使用的密钥是一样的
典型算法: DES、3DES、AES -
非对称加密算法
密钥对,公钥、私钥
公钥加密、私钥解密
典型算法: RSA、DSA -
使用原则
使用对称算法加密真实的数据,使用非对称算法加密对称算法中的密钥
3、数据的完整性
借助哈希算法保证数据的完整性
哈希算法: MD5、SHA
[root@node01 ~]# md5sum /etc/fstab
e48a442f1af72ac73d69ba0b12de254b /etc/fstab
[root@node01 ~]# sha224sum /etc/passwd
6b427e3f351f343325baa53ef9a04f14ff13172f50ee9c2fd32fbe65 /etc/passwd
3、身份的真实性
私钥签名,公钥验证签名
- 实际应用:
密钥、证书
- 证书的来源
互联网上发布业务,向CA申请证书
私有CA
二、配置https网站
1、环境规划
manage.linux.com /web/manage
192.168.140.10 nginx服务器
192.168.140.11 私有CA
2、部署私有CA
- 创建两个数据库文件
[root@ca ~]# touch /etc/pki/CA/index.txt
[root@ca ~]# echo 01 > /etc/pki/CA/serial
[root@ca ~]# cat /etc/pki/CA/serial
01
- 创建密钥对
[root@ca ~]# openssl genrsa -out /etc/pki/CA/private/cakey.pem 1024
Generating RSA private key, 1024 bit long modulus
...++++++
..............++++++
e is 65537 (0x10001)
- 创建自签证书
[root@ca ~]# openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:easthome
Organizational Unit Name (eg, section) []:easthome
Common Name (eg, your name or your server's hostname) []:ca.linux.com
Email Address []:
3、部署https的虚拟主机
- 创建网站的密钥
[root@node01 ~]# mkdir /usr/local/nginx/ssl
[root@node01 ~]# cd /usr/local/nginx/ssl
[root@node01 ssl]# openssl genrsa -out manage.key 1024
Generating RSA private key, 1024 bit long modulus
....++++++
.......................++++++
e is 65537 (0x10001)
[root@node01 ssl]# ls
manage.key
- 创建证书申请
[root@node01 ssl]# openssl req -new -key manage.key -out manage.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default Company Ltd]:easthome
Organizational Unit Name (eg, section) []:easthome
Common Name (eg, your name or your server's hostname) []:manage.linux.com
Email Address []:bj@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
- 将证书申请发送到CA审核
[root@node01 ssl]# scp manage.csr root@192.168.140.11:/opt/
manage.csr 100% 688 744.6KB/s 00:00
[root@node01 ssl]#
- CA签发证书, 将证书发送回网站服务器
[root@ca ~]# openssl ca -in /opt/manage.csr -out /etc/pki/CA/certs/manage.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 29 06:25:54 2024 GMT
Not After : Oct 27 06:25:54 2034 GMT
Subject:
countryName = cn
stateOrProvinceName = bj
organizationName = easthome
organizationalUnitName = easthome
commonName = manage.linux.com
emailAddress = bj@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
6E:90:6A:1B:F0:5F:9D:AD:5E:49:D7:AC:59:CF:BC:6A:AF:7E:44:BF
X509v3 Authority Key Identifier:
keyid:83:17:3A:29:2A:1C:6A:1E:E4:13:68:85:D1:92:59:3F:E6:34:88:49
Certificate is to be certified until Oct 27 06:25:54 2034 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca ~]# cat /etc/pki/CA/serial
02
[root@ca ~]# cat /etc/pki/CA/index.txt
V 341027062554Z 01 unknown /C=cn/ST=bj/O=easthome/OU=easthome/CN=manage.linux.com/emailAddress=bj@qq.com
[root@ca ~]# scp /etc/pki/CA/certs/manage.crt root@192.168.140.10:/usr/local/nginx/ssl
Warning: Permanently added '192.168.140.10' (ECDSA) to the list of known hosts.
manage.crt 100% 3137 1.4MB/s 00:00
- 创建网页目录,测试网页
[root@node01 ~]# mkdir -p /web/manage
[root@node01 ~]# vim /web/manage/index.html
[root@node01 ~]# cat /web/manage/index.html
<h1> web manage </h1>
- 确认nginx安装了ssl模块
[root@node01 ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.26.2
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module
- 配置虚拟主机
[root@node01 ~]# cat /usr/local/nginx/conf.d/manage.conf
server {
listen 443 ssl;
server_name manage.linux.com;
error_log /usr/local/nginx/logs/manage_error.log error;
access_log /usr/local/nginx/logs/manage_access.log main;
ssl_certificate /usr/local/nginx/ssl/manage.crt;
ssl_certificate_key /usr/local/nginx/ssl/manage.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /web/manage;
index index.html index.htm;
}
}
[root@node01 ~]# vim /usr/local/nginx/conf/nginx.conf
include /usr/local/nginx/conf.d/manage.conf;
- 重新加载nginx,测试访问
[root@node01 ~]# /usr/local/nginx/sbin/nginx -s reload
[root@node01 ~]# netstat -tunlp | grep nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 1029/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1029/nginx: master
三、URL重写
1、语法
rewrite 旧uri地址 新uri地址;
注意事项:
1、旧地址不包含请求中的参数
2、旧地址支持正则表达式
3、建议新地址写完整的URL地址,避免循环替换
- 需求1:
rewrite ^/audio http://blog.linux.com/mp3;
rewrite ^/audio/(.*) http://blog.linux.com/mp3/$1;
- 需求2: 网站换名
rewrite ^/ https://www.jd.com;
需求3: https自动跳转
if ($host = manage.linux.com) {
rewrite ^/ https://manage.linux.com;
}
$host:nginx内部变量,用于匹配网站的主机名
四、location的写法
1、语法
location [ = | ~ | ~* | ^~ ] uri { ... }
2、location = uri {}
精确匹配
location = /test { } http://x.y.z/test
location = / { } http://x.y.z/
// 定义错误页面
error_page 404 /404.html;
location = /404.html {
root /web/blog;
}
3、location ~ uri { }
以正则表达式的方式匹配请求,区分大小写
location ~ /test { }
http://x.y.z/test/b
http://x.y.z/a/b/test
http://x.y.z/admin/test/person
// 匹配所有图片的请求
location ~ \.(jpg|jpeg|gif|png)$ { }
4、location ~* uri { }
以正则表达式的方式匹配请求,不区分大小写
location ~* \.php$ { }
http://x.y.z/test/index.php
http://x.y.z/test/admin.PHP
5、location ^~ uri { }
不以正则表达式的方式匹配请求
location ^~ /test {}
http://x.y.z./test/ab/c
http://x.y.z/test/logo/admin
5、location的优先级
同一个网站中存在多个location时,一个请求可能 会被多个location同时匹配,按优先级处理
从高到低
= ^~ ~ ~* location /
五、nginx处理php页面
nginx默认只能处理静态资源,服务器上运行PHP网站,还得需要php软件的支持,同时需要配置nginx通过fastCGI机制能够成功调用php
1、安装php-fpm
[root@node01 ~]# yum install -y php php-fpm
[root@node01 ~]# systemctl enable --now php-fpm
[root@node01 ~]# netstat -tunlp | grep php
tcp 0 0 127.0.0.1:9000 0.0.0.0:* LISTEN 2576/php-fpm: maste
[root@node01 ~]#
[root@node01 ~]# ps -elf | grep php
4 S root 2576 1 0 80 0 - 58155 ep_pol 10:35 ? 00:00:00 php-fpm: master process (/etc/php-fpm.conf)
5 S apache 2577 2576 0 80 0 - 58242 inet_c 10:35 ? 00:00:00 php-fpm: pool www
5 S apache 2578 2576 0 80 0 - 58155 inet_c 10:35 ? 00:00:00 php-fpm: pool www
5 S apache 2579 2576 0 80 0 - 58155 inet_c 10:35 ? 00:00:00 php-fpm: pool www
5 S apache 2580 2576 0 80 0 - 58242 inet_c 10:35 ? 00:00:00 php-fpm: pool www
5 S apache 2581 2576 0 80 0 - 58155 inet_c 10:35 ? 00:00:00 php-fpm: pool www
2、配置nginx调用php
location ~ \.php$ {
root /web/blog;
fastcgi_pass 127.0.0.1:9000; // 调用php,指定php的IP和端口
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
3、测试访问php页面
<h1> AAAAAAAAAAAAAAA </h1>
<h2> BBBBBBBBBBBBBBB </h2>
<?php
phpinfo();
echo "<h1>Hello PHP, wmh@@@@@World!</h1>";
?>
