一、HTTPS 服務(wù)

為什么需要HTTPS?
原因：HTTP不安全
    1、傳輸數(shù)據(jù)被中間人盜用、信息泄露
    2、數(shù)據(jù)內(nèi)容劫持、篡改

HTTPS協(xié)議的實(shí)現(xiàn)
    對(duì)傳輸內(nèi)容進(jìn)行加密以及身份驗(yàn)證

HTTPS加密校驗(yàn)方式
    非對(duì)稱加密+對(duì)稱加密
    CA簽名證書

二、生成秘鑰和CA證書

生產(chǎn)環(huán)境上可以直接從第三方機(jī)構(gòu)獲取CA證書，跳過這一步。

#檢查是否安裝openssl
openssl version

步驟一：生成key秘鑰

#在/etc/nginx 目錄下新建 ssl_key 目錄
[root@sam ~]# mkdir /etc/nginx/ssl_key
[root@sam ~]# cd /etc/nginx/ssl_key

#新建key文件，并輸入密碼
[root@sam ssl_key]# openssl genrsa -idea -out sam.key 1024
Generating RSA private key, 1024 bit long modulus
....................................++++++
...................++++++
e is 65537 (0x10001)
Enter pass phrase for sam.key:
Verifying - Enter pass phrase for sam.key:

步驟二：生成證書簽名請(qǐng)求文件（csr文件）

[root@sam ssl_key]# openssl req -new -key sam.key -out sam.csr
Enter pass phrase for sam.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangdong
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:sam
Organizational Unit Name (eg, section) []:sam
Common Name (eg, your name or your server's hostname) []:sam
Email Address []:xxx@sam.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:sam

[root@sam ssl_key]# ls
sam.csr  sam.key

步驟三：生成證書簽名文件（CA證書） 或 從第三方機(jī)構(gòu)獲取

[root@sam ssl_key]# openssl x509 -req -days 3650 -in sam.csr -signkey sam.key -out sam.crt
[root@sam ssl_key]# ls
sam.crt  sam.csr  sam.key

三、Nginx配置HTTPS

#配置語法

語法：ssl on|off;
默認(rèn)值：ssl off;
上下文：http,server

語法：ssl_certificate file;
默認(rèn)值：無
上下文：http,server

語法：ssl_certificate_key file;
默認(rèn)值：無
上下文：http,server

配置用例

server {
    listen  443;    #https 監(jiān)聽端口為443
    server_name www.sam.com;
    
    ssl on;
    ssl_certificate /etc/nginx/ssl_key/sam.crt;
    ssl_certificate_key /etc/nginx/ssl_key/sam.key;
    
    location / {
        root /opt/site/sam;
        index index.html index.htm;
    }
}

如果使用自簽的證書，在重啟nginx的時(shí)候會(huì)提示輸入key的密碼，輸入生成key時(shí)配置的密碼即可。

生產(chǎn)環(huán)境中，一般通過第三方機(jī)構(gòu)獲取CA證書進(jìn)行配置。

如從阿里云獲取CA證書:
https://www.aliyun.com/product/cas?spm=5176.8142029.388261.255.23896dfadI4OJq

升級(jí)openssl 到 1.0.2

wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
tar -zxvf openssl-1.0.2k.tar.gz
cd openssl-1.0.2k
./config --prefix=/usr/local/openssl
make && make install
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version -a