Nginx高級配置-實現多域名HTTPS
作者:尹正傑
版權聲明:原創作品,謝絕轉載!否則將追究法律責任。
一.Nginx支持基於單個IP實現多域名的功能
Nginx支持基於單個IP實現多域名的功能,並且還支持單IP多域名的基礎之上實現HTTPS,這一點Apache Httpd是不支持的,其實是基於Nginx的SNI(Server Name Indication)功能實現,SNI是為了解決一個Nginx服務器內使用一個IP綁定多個域名和證書的功能,其具體功能是客戶端在連接到服務器建立SSL鏈接之前先發送要訪問站點的域名(Hostname),這樣服務器再根據這個域名返回給客戶端一個合適的證書。
其實配置基於單個IP實現多域名的HTTPS方式也就是重復單個網站的https配置相應步驟。我的實驗環境是在基於Nginx配置單個網站的https(博客鏈接:https://www.cnblogs.com/yinzhengjie/p/12052401.html),也就是上一次試驗基礎之上繼續后續的步驟。
二.生成自簽名證書
1>.生成"mobile.yinzhengjie.org.cn"網站使用的密鑰對
[root@node101.yinzhengjie.org.cn ~]# cd /yinzhengjie/softwares/nginx/certs/
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 24
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout mobile.yinzhengjie.org.cn.key -out mobile.yinzheng
jie.org.cn.csrGenerating a 4096 bit RSA private key
.......................................................................................................................++
................................................................++
writing new private key to 'mobile.yinzhengjie.org.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:mobile.yinzhengjie.org.cn #這里寫網站的主機名稱
Email Address []:y1053419035@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #這里不要寫密碼
An optional company name []:
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr #是一個公鑰,即證書請求文件
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key #私鑰
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
2>.簽發證書
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# openssl x509 -req -days 3650 -in mobile.yinzhengjie.org.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mobile.yinzhengjie.org.cn.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=yinzhengjie/OU=devops/CN=mobile.yinzhengjie.org.cn/emailAddress=y1053419035@qq.com
Getting CA Private Key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]# ll
total 36
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 10:19 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 10:19 mobile.yinzhengjie.org.cn.crt #已經被自己的CA服務器簽發的證書文件
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
[root@node101.yinzhengjie.org.cn /yinzhengjie/softwares/nginx/certs]#
三.Nginx證書配置
1>.查看主配置文件
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes 4;
worker_cpu_affinity 00000001 00000010 00000100 00001000;
events {
worker_connections 100000;
use epoll;
accept_mutex on;
multi_accept on;
}
http {
include mime.types;
default_type text/html;
charset utf-8;
log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';
access_log logs/access_json.log my_access_json;
ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ll /yinzhengjie/softwares/nginx/conf.d/
total 8
-rw-r--r-- 1 root root 186 Dec 22 09:22 https.conf #這個配置文件就是我們上一篇博客配置的內容
-rw-r--r-- 1 root root 438 Dec 22 10:25 mobile.conf #這個配置是咱們新配置的域名
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/https.conf
server {
listen 80;
listen 443 ssl;
server_name www.yinzhengjie.org.cn;
location / {
root /yinzhengjie/data/web/nginx/static;
index index.html;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
2>.編輯mobile的配置文件支持https功能
[root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/softwares/nginx/conf.d/mobile.conf
server {
listen 80;
listen 443 ssl;
server_name mobile.yinzhengjie.org.cn;
ssl_certificate /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
root /yinzhengjie/data/web/nginx/mobile;
index index.html;
}
}
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]#
3>.創建mobile網站的測試數據
[root@node101.yinzhengjie.org.cn ~]# mkdir -pv /yinzhengjie/data/web/nginx/mobile mkdir: created directory ‘/yinzhengjie/data/web/nginx/mobile’ [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# vim /yinzhengjie/data/web/nginx/mobile/index.html [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]# cat /yinzhengjie/data/web/nginx/mobile/index.html <!doctype html> <html lang="en"> <head> <meta charset="UTF-8" /> <title>尹正傑的網頁</title> <style type="text/css"> h1{ background-color: red; margin: 0; float: right; color: yellow; } </style> </head> <body> <h1>我的博客地址:https://www.cnblogs.com/yinzhengjie</H1> </body> </html> [root@node101.yinzhengjie.org.cn ~]# [root@node101.yinzhengjie.org.cn ~]#
4>.重新加載nginx的配置文件
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 9901 1 0 09:28 ? 00:00:00 nginx: master process nginx
nginx 9902 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9903 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9904 9901 0 09:28 ? 00:00:00 nginx: worker process
nginx 9905 9901 0 09:28 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# nginx -s reload
[root@node101.yinzhengjie.org.cn ~]#
[root@node101.yinzhengjie.org.cn ~]# ps -ef | grep nginx | grep -v grep
root 9901 1 0 09:28 ? 00:00:00 nginx: master process nginx
nginx 24916 9901 4 10:41 ? 00:00:00 nginx: worker process
nginx 24917 9901 5 10:41 ? 00:00:00 nginx: worker process
nginx 24918 9901 5 10:41 ? 00:00:00 nginx: worker process
nginx 24919 9901 5 10:41 ? 00:00:00 nginx: worker process
[root@node101.yinzhengjie.org.cn ~]#
5>.客戶端瀏覽器分別訪問"http://mobile.yinzhengjie.org.cn/"和"https://mobile.yinzhengjie.org.cn/"
