目前公司有2個域名,其中這次涉及到3個子域名需要更改為HTTPS傳輸,分別為:
passport.abc.com
www.test.com
admin.test.com
那么就涉及到購買ssl證書的問題,由於價格問題使用3個不同的證書(每個域名一個)。
由於實驗環境,我們就手動生成3個ssl證書
建立目錄,及進入目錄
[root@gz122haproxy95 ~]# mkdir ~/keys
[root@gz122haproxy95 keys]# cd ~/keys
[root@gz122haproxy95 keys]# openssl genrsa -out passport.abc.com.key 2048
[root@gz122haproxy95 keys]# openssl req -new -key passport.abc.com.key -out passport.abc.com.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN #國家
State or Province Name (full name) [Berkshire]:GuangDong #省份
Locality Name (eg, city) [Newbury]:ShenZhen #城市
Organization Name (eg, company) [My Company Ltd]:Test.Inc #公司名稱
Organizational Unit Name (eg, section) []:passport.abc.com #組織名稱
Common Name (eg, your name or your server's hostname) []:passport.abc.com #域名
Email Address []:passport@abc.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@gz122haproxy95 keys]# openssl x509 -req -days 3650 -in passport.abc.com.csr -signkey passport.abc.com.key -out passport.abc.com.crt
按照以上方法,把名稱替換掉再制作2份,最后的結果就是
[root@gz122haproxy95 keys]# ls -l
total 36
-rw-r--r-- 1 root root 1354 Dec 4 16:54 admin.test.com.crt
-rw-r--r-- 1 root root 1050 Dec 4 16:54 admin.test.com.csr
-rw-r--r-- 1 root root 1675 Dec 4 16:52 admin.test.com.key
-rw-r--r-- 1 root root 1354 Dec 4 16:48 passport.abc.com.crt
-rw-r--r-- 1 root root 1078 Dec 4 16:44 passport.abc.com.csr
-rw-r--r-- 1 root root 1675 Dec 4 16:41 passport.abc.com.key
-rw-r--r-- 1 root root 1354 Dec 4 16:52 www.test.com.crt
-rw-r--r-- 1 root root 1062 Dec 4 16:52 www.test.com.csr
-rw-r--r-- 1 root root 1679 Dec 4 16:51 www.test.com.key
現在就是Nginx和OpenSSL的安裝與配置(這里注意,一般情況下一個IP只支持一個SSL證書,那么我們現在要在一個IP上實現多個SSL證書,就必須讓Nginx支持TLS SNI,由於默認的OpenSSL是沒有打開TLS SNI的)
[root@gz122haproxy95 ~]# wget
[root@gz122haproxy95 ~]# tar zxf openssl-0.9.8zh.tar.gz
[root@gz122haproxy95 ~]# wget http://nginx.org/download/nginx-1.8.0.tar.gz
[root@gz122haproxy95 ~]# tar zxf nginx-1.8.0.tar.gz
[root@gz122haproxy95 ~]# cd nginx-1.8.0
[root@gz122haproxy95 nginx-1.8.0]# ./configure --prefix=/usr/local/nginx1.8.0 --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=../openssl-0.9.8zh
[root@gz122haproxy95 nginx-1.8.0]# make && make install
#上面只需要解壓openssl即可,然后在nginx的配置參數中添加--with-openssl=DIR指定路徑即可,另外由於openssl需要編譯,所以時間會較長。
在編譯安裝nginx的時候可能會出現pcre庫沒找到或zlib沒找到,在CentOS下可以使用
yum -y install pcre-devel zlib-devel
在安裝編譯好Nginx后,執行
[root@gz122haproxy95 nginx-1.8.0]# /usr/local/nginx1.8.0/sbin/nginx -V
nginx version: nginx/1.8.0
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-55)
built with OpenSSL 0.9.8zh 3 Dec 2015
TLS SNI support enabled #可以看到TLS SNI support打開了
configure arguments: --prefix=/usr/local/nginx1.8.0 --user=www --group=www --with-http_stub_status_module --with-http_ssl_module --with-http_gzip_static_module --with-openssl=../openssl-0.9.8zh
然后配置nginx
upstream passport.abc.com {
server 192.168.20.87:80;
server 192.168.20.88:80;
}
# HTTPS server
#
server {
listen 443 ssl;
server_name passport.abc.com;
ssl_certificate /root/keys/passport.abc.com.crt;
ssl_certificate_key /root/keys/passport.abc.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://passport.abc.com;
}
}
upstream www.test.com {
server 192.168.20.98:80;
server 192.168.20.99:80;
}
# HTTPS server
#
server {
listen 443 ssl;
server_name www.test.com;
ssl_certificate /root/keys/www.test.com.crt;
ssl_certificate_key /root/keys/www.test.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://www.test.com;
}
}
通過以上即可實現nginx的HTTPS的多域名反向代理