一、Http与Https的区别
HTTP:是互联网上应用最为广泛的一种网络协议,是一个客户端和服务器端请求和应答的标准(TCP),用于从WWW服务器传输超文本到本地浏览器的传输协议,它可以使浏览器更加高效,使网络传输减少。

HTTPS:是以安全为目标的HTTP通道,简单讲是HTTP的安全版,即HTTP下加入SSL层,HTTPS的安全基础是SSL,因此加密的详细内容就需要SSL。HTTPS协议的主要作用可以分为两种:一种是建立一个信息安全通道,来保证数据传输的安全;另一种就是确认网站的真实性。

HTTPS和HTTP的区别主要如下:
1、https协议需要到ca申请证书,一般免费证书较少,因而需要一定费用。
2、http是超文本传输协议,信息是明文传输,https则是具有安全性的ssl加密传输协议。
3、http和https使用的是完全不同的连接方式,用的端口也不一样,前者是80,后者是443。
4、http的连接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。

二、使用openssl生成证书
openssl是目前最流行的SSL密码库工具,其提供了一个通用、健壮、功能完备的工具套件,用以支持SSL/TLS协议的实现。

比如生成到:/usr/local/ssl

openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /usr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt

生成过程:

# openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -keyout /u sr/local/ssl/nginx.key -out /usr/local/ssl/nginx.crt

Generating a 2048 bit RSA private key

...............................................................................+ ++

...............+++

writing new private key to '/usr/local/ssl/nginx.key'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:beijing

Locality Name (eg, city) [Default City]:beijing

Organization Name (eg, company) [Default Company Ltd]:xxxx

Organizational Unit Name (eg, section) []:xxxx

Common Name (eg, your name or your server's hostname) []:xxxx(一般是域名)

Email Address []:xxxx@xxxx.com

# ll

total 8

-rw-r--r--. 1 root root 1391 Apr 21 13:29 nginx.crt

-rw-r--r--. 1 root root 1704 Apr 21 13:29 nginx.key

三、Nginx安装http_ssl_module模块
Nginx如果未开启SSL模块,配置Https时提示错误。

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:xxx

nginx缺少http_ssl_module模块,编译安装的时候带上--with-http_ssl_module配置就行了。

本场景是服务器已经安装过nginx,但是未安装http_ssl_module。

1.进入到源码包,如:

cd /app/download/nginx-1.16.7

2.configure:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

3.make:

make

4.不需要执行make install,否则就覆盖安装了。

5.备份原有的nginx,如:

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx_bak

6.然后将刚刚编译好的nginx覆盖掉原有的nginx(nginx需要停止)

cp ./objs/nginx /usr/local/nginx/sbin/

7.查看安装情况:(注:若不生效,则重装nginx)

/usr/local/nginx/sbin/nginx -V

nginx version: nginx/1.12.2

built by gcc 4.8.5 20150623 (Red Hat 4.8.5-16) (GCC)

built with OpenSSL 1.0.2k-fips 26 Jan 2017

TLS SNI support enabled

configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

四、nginx配置https
贴部分配置信息:

#user  nobody;

worker_processes  1;

#error_log  logs/error.log;

#error_log  logs/error.log  notice;

#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {

    worker_connections  1024;

}

http {

    include       mime.types;

    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

    #                  '$status $body_bytes_sent "$http_referer" '

    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;

    #tcp_nopush     on;

    #keepalive_timeout  0;

    keepalive_timeout  65;

    #gzip  on;

    server {

        listen       7777;

        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {

            if (!-e $request_filename) {

                rewrite ^(.*)$ /index.html?s=$1 last;

                break;

            }

            root   /usr/local/chip/product/crdp_plus;

            index  index.html;

        }

        location /portal-ui {

              root   html;

            index  index.html index.htm;

              try_files $uri $uri/ /monitor-view/index.html;

          }

        location /crdp/ {

            proxy_pass http://127.0.0.1:8888;

        }

        location /swagger-ui.html {

            proxy_pass http://127.0.0.1:8888;

        }

        location /swagger-resources {

            proxy_pass http://127.0.0.1:8888;

        }

        location /swagger {

            proxy_pass http://127.0.0.1:8888;

        }

        location /webjars {

            proxy_pass http://127.0.0.1:8888;

        }

        location /v2 {

            proxy_pass http://127.0.0.1:8888;

        }

        location /druid {

            proxy_pass http://127.0.0.1:8888;

        }

        proxy_set_header Host $host;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header REMOTE-HOST $remote_addr;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

        client_max_body_size 5m;

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html

        #

        error_page   500 502 503 504  /50x.html;

        location = /50x.html {

            root   html;

        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80

        #

        #location ~ \.php$ {

        #    proxy_pass   http://127.0.0.1;

        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000

        #

        #location ~ \.php$ {

        #    root           html;

        #    fastcgi_pass   127.0.0.1:9000;

        #    fastcgi_index  index.php;

        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;

        #    include        fastcgi_params;

        #}

        # deny access to .htaccess files, if Apache's document root

        # concurs with nginx's one

        #

        #location ~ /\.ht {

        #    deny  all;

        #}

    }

    # another virtual host using mix of IP-, name-, and port-based configuration

    #

    #server {

    #    listen       8000;

    #    listen       somename:8080;

    #    server_name  somename  alias  another.alias;

    #    location / {

    #        root   html;

    #        index  index.html index.htm;

    #    }

    #}

    # HTTPS server

    #

    server {

        listen         8787 ssl;

        server_name  192.168.13.192;

        ssl_certificate /usr/local/ssl/nginx.crt;       #证书公钥

        ssl_certificate_key  /usr/local/ssl/nginx.key;  #证书私钥

        ssl_session_cache    shared:SSL:1m;

        ssl_session_timeout  5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;

        ssl_prefer_server_ciphers  on;

        root /usr/local/ui_workspace;

        index /appBaoJian/index.html;

        location /appBaoJian {

                root   /usr/local/ui_workspace;

                index  index.html index.htm;

                try_files $uri $uri/ /appBaoJian/index.html;

            }

        location /chhm-service/ {

            proxy_pass http://192.168.13.77:8380;

        }

    }

    server {

        listen         8686 ssl;

        server_name  192.168.13.192;

        ssl_certificate /usr/local/ssl/nginx.crt;       #证书公钥

        ssl_certificate_key  /usr/local/ssl/nginx.key;  #证书私钥

        ssl_session_cache    shared:SSL:1m;

        ssl_session_timeout  5m;

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers ECDH:AESGCM:HIGH:!RC4:!DH:!MD5:!3DES:!aNULL:!eNULL;

        ssl_prefer_server_ciphers  on;

        root /usr/local/ui_workspace;

        index /crpge/index.html;

        location /crpgea {

                root   /usr/local/ui_workspace;

                index  index.html index.htm;

                try_files $uri $uri/ /crpge/index.html;

            }

        location /crpgeb {

                root   /usr/local/ui_workspace;

                index  index.html index.htm;

                try_files $uri $uri/ /crpge/hospital.html;

            }

        location /crpge/v1 {

            proxy_http_version 1.1;

            proxy_set_header   Host         $http_host;

            proxy_set_header   X-Real-IP    $remote_addr;

            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;

            proxy_set_header   X-Forwarded-Proto $scheme;

            proxy_pass http://127.0.0.1:18888/crpge/v1;

        }

    }

}

先检验配置的对不对:

/usr/local/nginx/sbin/nginx -t

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

重启nginx:

/usr/local/nginx/sbin/./nginx -s reload

Nginx下配置Https证书详细过程的更多相关文章

  1. Nginx 下配置SSL证书的方法

    1.Nginx 配置 ssl 模块 默认 Nginx 是没有 ssl 模块的,而我的 VPS 默认装的是 Nginx 0.7.63 ,顺带把 Nginx 升级到 0.7.64 并且 配置 ssl 模块 ...

  2. Nginx下配置Https 配置文件(vue)

    #user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #erro ...

  3. Nginx如何配置https证书?

    #把80端口请求跳转到443端口 server { listen 80; server_name 域名; return 301 https://$http_host$request_uri; } se ...

  4. Nginx下的https配置

    https: https(Secure Hypertext Transfer Protocol) 安全超文本传输协议 它是以安全为目标的http通道,即它是http的安全版.它使用安全套接字层(SSL ...

  5. Nginx配置Https(详细、完整)

    Nginx配置Https(详细.完整) 原文链接:请支持原创 前置条件: 在配置https之前请确保下面的步骤已经完成 服务器已经安装nginx并且通过http可以正常访问 不会安装nginx的可以参 ...

  6. Ubuntu Nginx下配置网站ssl实现https访问

    最近在看  HTTP权威指南   看到介绍了HTTPS的ssl,自己就动手测试了下,将步骤记录下 HTTPS简介 什么是HTTPS?百科是这样解释的.HTTPS(全称:Hyper Text Trans ...

  7. Nginx下配置网站ssl实现https访问

    第一步:服务器环境,lnmp即Linux+Nginx+PHP+MySQL,本文中以我的博客为例,使用的是阿里云最低档的vps+免费的Linux服务器管理系统WDCP快速搭建的lnmp环境(同类产品还有 ...

  8. Nginx 高级配置-https 功能

    Nginx 高级配置-https 功能 作者:尹正杰 版权声明:原创作品,谢绝转载!否则将追究法律责任. 一.HTTPS工作过程 1>.SSL/TLS SSL(Secure Socket Lay ...

  9. 使用docker部署nginx并配置https

    我只有一台服务器,但我想在这台服务器上运行多个项目,怎么办? 总不能靠加端口区分吧? 百度和Google是个好东西,于是我找到了答案,使用nginx. 通过nginx,我可以给我的一台服务器配置两个域 ...

随机推荐

  1. [Vue warn]: Unknown custom element: <terminal-process> - did you register the component correctly? For recursive components, make sure to provide the "name" option.

    Vue组件注册报错问题 import 不要加{},排查出如果页面引用单个组件的时候不要加上{}中括号,引入多个组件时才能派上用场,中括号去除问题即可解决.

  2. qsort 快排函数(C语言)

    qsort 快排函数(C语言) 函数原型 void qsort(void *base, size_t nitems, size_t size, int (*compar)(const void *, ...

  3. Asp.Net Core&CAP实现分布式事务

    需要注意的是标题中的CAP不是指的CAP理论,而是园区大神杨晓东实现的框架,CAP框架基于本地消息表用最终一致性实现分布式事务. 本地消息表 首先我们考虑一个场景,在将用户信息更改后,需要发送一条消息 ...

  4. Relatives(容斥)

    Relatives Time Limit: 1000MS   Memory Limit: 65536K Total Submissions: 15708   Accepted: 7966 Descri ...

  5. 7- MySQL结果数据处理与函数

    复习: 查询:select 列名 from 表 去重:distinct 排序:order by 列1 列2 排序方法:asc desc. 限定返回行数:limit n limit n,m 过滤:whe ...

  6. 微信小程序 icon组件详细介绍

    这些是提供的所支持的图标样式,根据需求在此基础上去修改大小和颜色. 主要属性: 使用方式: wxml <!--成功图标--> <icon type="success&quo ...

  7. hdu4829 带权并查集(题目不错)

    题意: Information Time Limit: 6000/3000 MS (Java/Others) Memory Limit: 32768/32768 K (Java/Others) Tot ...

  8. Android so注入( inject)和Hook(挂钩)的实现思路讨论

    本文博客:http://blog.csdn.net/qq1084283172/article/details/54095995 前面的博客中分析一些Android的so注入和Hook目标函数的代码,它 ...

  9. LA4636积木艺术

    题意:       有一些1*1*1的单位正方体积木,现在要摆积木,每一块积木有两种方法,要么放在地面上,要么放在别的积木的正上方,现在给你摆好积木的正面图和侧面图,问你最少用了多少块积木. 思路: ...

  10. Redis笔记整理

    Redis 遵守BSD协议.支持网络.可基于内存亦可持久化的日志型.Key-Value数据库.数据结构服务器. 特点:     1.Redis支持数据的持久化,可以将内存中的数据保存在磁盘中,重启的时 ...