Nginx配置Https

发表于 分类于
配置Nginx的https访问。

1、生成证书

用java jdk自带的keytool生成keystore密钥文件,更多信息

keytool -genkey -alias casserver -keyalg RSA -keysize 1024 -keypass lumingclient -validity 365 -keystore d:\sso\casserver.keystore -storepass lumingclient

截图中需要输入的姓名和上面hosts文件中配置的一致(也可以是主机名) ;

keypass 和 storepass 两个密码要一致,否则下面tomcat 配置https 访问失败。

2、导出私钥(需要安装openssl)

包括pem证书和key密钥。

1、用keytool将keystore文件转换为PKCS12 文件

keytool -importkeystore -srckeystore d:/sso/casserver.keystore -destkeystore d:/sso/newkeystore.p12 -deststoretype PKCS12

如果需要查看新的密钥中的列表内容,可以用

keytool -deststoretype PKCS12 -keystore d:/sso/newkeystore.p12 -list

进行查看。

2、用openssl生成pem公钥文件

openssl pkcs12 -nokeys -in d:/sso/newkeystore.p12 -out certfile.pem

3、用openssl生成key私钥文件

openssl pkcs12 -nocerts -nodes -in d:/sso/newkeystore.p12 -out keyfile.key

3、配置nginx密钥

找到nginx主配置文件,然后依次按如下步奏操作:

  1. 找到https位置

  2. 放开https注释– “#”为注释

  3. 默认https端口为443

  4. 为nginx配置密钥和私钥(即上述步骤生成的pem和key文件)
    ssl_certificate D:/sso/casserver.pem;
    ssl_certificate_key D:/sso/casserver.key;

4、配置访问规则

配置nginx的访问规则即可。
https配置相关内容如下:

server {
    listen       443 ssl;
    server_name  127.0.0.1;

    ssl_certificate       D:/sso/casserver.pem;
    ssl_certificate_key   D:/sso/casserver.key;

    #ssl_session_cache    shared:SSL:1m;
    #ssl_session_timeout  5m;

    #ssl_ciphers  HIGH:!aNULL:!MD5;
    #ssl_prefer_server_ciphers  on;


     location / {
         charset UTF-8;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_pass https://127.0.0.1:8443/$uri$is_args$args;
      }
}

5、配置日志

if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
    set $year $1;
    set $month $2;
    set $day $3;
    }
   access_log /var/log/nginx/$year-$month-$day-access.log;

6、负载均衡

简单的http负载均衡

  upstream  myslb {
        server    127.0.0.1:8080;
        server    127.0.0.1:8081;
    }

    server {
        listen       8000;
        server_name  127.0.0.1;

        location / {
            add_header 'Access-Control-Allow-Origin' *;
            charset UTF-8;
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_pass http://myslb/$uri$is_args$args;
        }

    }

https的负载均衡

 upstream  myhttpsslb {
        server    127.0.0.1:8443;
        server    127.0.0.1:8444;
  }

  server {
       listen 8883 ssl;
       server_name 127.0.0.1;
       ssl_certificate /home/ubuntu/keystore/prod_certfile.pem;
       ssl_certificate_key /home/ubuntu/keystore/prod_keyfile.key;
       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
       root html;
       index index.html index.htm;

       location /{
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_pass https://myhttpsslb$uri$is_args$args;
       }

  }

完整配置

  upstream  myhttpsslb {
        server    127.0.0.1:8443;
        server    127.0.0.1:8444;
  }

  server {
       listen 8883 ssl;
       server_name 127.0.0.1;
       ssl_certificate /home/ubuntu/keystore/prod_certfile.pem;
       ssl_certificate_key /home/ubuntu/keystore/prod_keyfile.key;
       ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
       root html;
       index index.html index.htm;
       
       if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
         set $year $1;
         set $month $2;
         set $day $3;
      }
      access_log /var/log/nginx/$year-$month-$day-access.log;

      location /{
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
             proxy_pass https://myhttpsslb$uri$is_args$args;
       }

  }

7、访问黑名单

在conf.d目录下,创建 blockips.conf文件,并加入黑名单IP,如下所示

查看cat blockips.conf

deny 210.14.155.215;
deny 61.4.185.194;
deny 54.223.167.94;