Nginx高级配置-实现多域名HTTPS

岁序沉香 發表於 2019-12-17 20:14:00

Nginx高级配置-实现多域名HTTPS
　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　作者：尹正杰
版权声明：原创作品，谢绝转载！否则将追究法律责任。
 
 
 
 
一.Nginx支持基于单个IP实现多域名的功能
<div class="cnblogs_code">
<pre>　　Nginx支持基于单个IP实现多域名的功能，并且还支持单IP多域名的基础之上实现HTTPS，这一点Apache Httpd是不支持的，其实是基于Nginx的SNI（Server Name Indication）功能实现，SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能，其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名（Hostname），这样服务器再根据这个域名返回给客户端一个合适的证书。

　　其实配置基于单个IP实现多域名的HTTPS方式也就是重复单个网站的https配置相应步骤。我的实验环境是在基于Nginx配置单个网站的https(博客链接:https://www.cnblogs.com/yinzhengjie/p/12052401.html),也就是上一次试验基础之上继续后续的步骤。</pre>
<pre></pre>
</div>
 
二.生成自签名证书
1>.生成"mobile.yinzhengjie.org.cn"网站使用的密钥对
<div class="cnblogs_code">
<pre># cd /yinzhengjie/softwares/nginx/certs/
#
# ll
total 24
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
#
# openssl req -newkey rsa:4096 -nodes -sha256 -keyout mobile.yinzhengjie.org.cn.key -out mobile.yinzheng
jie.org.cn.csrGenerating a 4096 bit RSA private key
.......................................................................................................................++
................................................................++
writing new private key to 'mobile.yinzhengjie.org.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) :beijing
Organization Name (eg, company) :yinzhengjie
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:mobile.yinzhengjie.org.cn　　　　　　　　#这里写网站的主机名称
Email Address []:y1053419035@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　　#这里不要写密码
An optional company name []:
#
# ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr　　　　　　　　　　　　　　　#是一个公钥，即证书请求文件
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key　　　　　　　　　　　　　　　#私钥
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
#
# </pre>
</div>
2>.签发证书
<div class="cnblogs_code">
<pre># ll
total 32
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 09:01 ca.srl
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
#
#
# openssl x509 -req -days 3650 -in mobile.yinzhengjie.org.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out mobile.yinzhengjie.org.cn.crt Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=yinzhengjie/OU=devops/CN=mobile.yinzhengjie.org.cn/emailAddress=y1053419035@qq.com
Getting CA Private Key
#
# ll
total 36
-rw-r--r-- 1 root root 2171 Dec 22 08:40 ca.crt
-rw-r--r-- 1 root root 3272 Dec 22 08:40 ca.key
-rw-r--r-- 1 root root 17 Dec 22 10:19 ca.srl
-rw-r--r-- 1 root root 2049 Dec 22 10:19 mobile.yinzhengjie.org.cn.crt　　　　　　　　　　　　#已经被自己的CA服务器签发的证书文件
-rw-r--r-- 1 root root 1773 Dec 22 10:14 mobile.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 10:14 mobile.yinzhengjie.org.cn.key
-rw-r--r-- 1 root root 2049 Dec 22 09:01 www.yinzhengjie.org.cn.crt
-rw-r--r-- 1 root root 1769 Dec 22 08:52 www.yinzhengjie.org.cn.csr
-rw-r--r-- 1 root root 3272 Dec 22 08:52 www.yinzhengjie.org.cn.key
#
# </pre>
</div>
 
三.Nginx证书配置
1>.查看主配置文件
<div class="cnblogs_code">
<pre># cat /yinzhengjie/softwares/nginx/conf/nginx.conf
worker_processes4;
worker_cpu_affinity 00000001 00000010 00000100 00001000;

events {
worker_connections100000;
use epoll;
accept_mutex on;
multi_accept on;
}

http {
include mime.types;

default_typetext/html;

charset utf-8;

log_format my_access_json '{"@timestamp":"$time_iso8601",' '"host":"$server_addr",' '"clientip":"$remote_addr",' '"size":$body_bytes_sent,' '"responsetime":$request_ti
me,' '"upstreamtime":"$upstream_response_time",' '"upstreamhost":"$upstream_addr",' '"http_host":"$host",' '"uri":"$uri",' '"domain":"$host",' '"xff":"$http_x_forwarded_for",' '"referer":"$http_referer",' '"tcp_xff":"$proxy_protocol_addr",' '"http_user_agent":"$http_user_agent",' '"status":"$status"}';
access_log logs/access_json.log my_access_json;

ssl_certificate /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/www.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;

include /yinzhengjie/softwares/nginx/conf.d/*.conf;
}
#
# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
#
# ll /yinzhengjie/softwares/nginx/conf.d/
total 8
-rw-r--r-- 1 root root 186 Dec 22 09:22 https.conf　　　　　　　　　　　　　　#这个配置文件就是我们上一篇博客配置的内容
-rw-r--r-- 1 root root 438 Dec 22 10:25 mobile.conf　　　　　　　　　　　　　 #这个配置是咱们新配置的域名
#
# </pre>
</div>
<div class="cnblogs_code"><img src="http://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif"><img id="code_img_opened_1e3dd0bd-446a-4cf8-9c84-d97d4c58335f" class="code_img_opened lazyload" style="display: none" alt="" data-src="http://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif">
<div id="cnblogs_code_open_1e3dd0bd-446a-4cf8-9c84-d97d4c58335f" class="cnblogs_code_hide">
<pre># cat /yinzhengjie/softwares/nginx/conf.d/https.conf
server {
listen 80;
listen 443 ssl;
server_name www.yinzhengjie.org.cn;

location / {
 root /yinzhengjie/data/web/nginx/static;
 index index.html;
}
}
#
# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
# </pre>
</div>
# cat /yinzhengjie/softwares/nginx/conf.d/https.conf</div>
2>.编辑mobile的配置文件支持https功能
<div class="cnblogs_code">
<pre># cat /yinzhengjie/softwares/nginx/conf.d/mobile.conf
server {
listen 80;
listen 443 ssl;
server_name mobile.yinzhengjie.org.cn;

ssl_certificate /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.crt;
ssl_certificate_key /yinzhengjie/softwares/nginx/certs/mobile.yinzhengjie.org.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;

location / {
 root /yinzhengjie/data/web/nginx/mobile;
 index index.html;
}
}
#
# nginx -t
nginx: the configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /yinzhengjie/softwares/nginx/conf/nginx.conf test is successful
#
# </pre>
</div>
3>.创建mobile网站的测试数据
<div class="cnblogs_code">
<pre># mkdir -pv /yinzhengjie/data/web/nginx/mobile
mkdir: created directory ‘/yinzhengjie/data/web/nginx/mobile’
#
# vim /yinzhengjie/data/web/nginx/mobile/index.html
#
# cat /yinzhengjie/data/web/nginx/mobile/index.html
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<title>尹正杰的网页</title>

<style type="text/css">
 h1{
 background-color: red;
 margin: 0;
 float: right;
 color: yellow;
 }
</style>

</head>
<body>
<h1>我的博客地址:https://www.cnblogs.com/yinzhengjie</H1>
</body>
</html>
#
# </pre>
</div>
4>.重新加载nginx的配置文件
<div class="cnblogs_code">
<pre># ps -ef | grep nginx | grep -v grep
root 9901 10 09:28 ? 00:00:00 nginx: master process nginx
nginx 990299010 09:28 ? 00:00:00 nginx: worker process
nginx 990399010 09:28 ? 00:00:00 nginx: worker process
nginx 990499010 09:28 ? 00:00:00 nginx: worker process
nginx 990599010 09:28 ? 00:00:00 nginx: worker process
#
# nginx -s reload
#
# ps -ef | grep nginx | grep -v grep
root 9901 10 09:28 ? 00:00:00 nginx: master process nginx
nginx 2491699014 10:41 ? 00:00:00 nginx: worker process
nginx 2491799015 10:41 ? 00:00:00 nginx: worker process
nginx 2491899015 10:41 ? 00:00:00 nginx: worker process
nginx 2491999015 10:41 ? 00:00:00 nginx: worker process
# </pre>
</div>
5>.客户端浏览器分别访问"http://mobile.yinzhengjie.org.cn/"和"https://mobile.yinzhengjie.org.cn/"
<img alt="" data-src="https://img2018.cnblogs.com/blog/795254/201912/795254-20191222104601029-2048829334.png">
 

</div>
<div id="MySignature" role="contentinfo">
本文来自博客园，作者：尹正杰，转载请注明原文链接：https://www.cnblogs.com/yinzhengjie/p/12056590.html，个人微信: "JasonYin2020"（添加时请备注来源及意图备注，有偿付费） 

当你的才华还撑不起你的野心的时候，你就应该静下心来学习。当你的能力还驾驭不了你的目标的时候，你就应该沉下心来历练。问问自己，想要怎样的人生。 
来源：https://www.cnblogs.com/yinzhengjie/p/12056590.html

頁: [1]

琼殿技术论坛's Archiver

Nginx高级配置-实现多域名HTTPS