ÆÊÎöNginxµÄHTTPSÉèÖúÍÖ¤ÊéÖÎÀíʵÏÖϸ½Ú
nginxµÄhttpsÉèÖúÍÖ¤ÊéÖÎÀíʵÏÖϸ½ÚÆÊÎö
ÔÚÍøÂçÐÅÏ¢Çå¾²ÁìÓò£¬HTTPSÐÒéÊǺÜÊÇÖ÷ÒªµÄÒ»ÖÖÇ徲ͨѶÊÖÒÕ£¬ËüΪ»¥ÁªÍøÉϵÄÊý¾Ý´«ÊäÌṩÁËÒ»ÖÖ¼ÓÃÜ¡¢Éí·ÝÈÏÖ¤ºÍÍêÕûÐÔ±£»¤µÄ»úÖÆ¡£NginxÊÇÒ»¸ö¸ßÐÔÄܵÄWebЧÀÍÆ÷ºÍ·´ÏòÊðÀíЧÀÍÆ÷£¬Ëü²»µ«Ö§³ÖHTTPÐÒ飬»¹Ö§³ÖHTTPSÐÒé¡£ÔÚ±¾ÎÄÖУ¬ÎÒÃǽ«ÆÊÎöNginxµÄHTTPSÉèÖúÍÖ¤ÊéÖÎÀíµÄʵÏÖϸ½Ú£¬²¢¸ø³öÏìÓ¦µÄ´úÂëʾÀý¡£
ÌìÉúHTTPSÖ¤Êé
ҪʹÓÃHTTPSÐÒ飬Ê×ÏÈÐèÒªÌìÉúÒ»¶Ô¹«Ë½Ô¿ºÍÒ»¸öSSLÖ¤Êé¡£¿ÉÒÔʹÓÃopenssl¹¤¾ßÌìÉúÕâЩÎļþ¡£ÒÔÏÂÊÇÒ»¸öʾÀý£º
$ openssl genrsa -out private.key 2048 $ openssl req -new -key private.key -out csr.csr $ openssl x509 -req -days 365 -in csr.csr -signkey private.key -out certificate.crt
µÇ¼ºó¸´ÖÆ
ÔÚÉÏÊö´úÂëÖУ¬private.keyÊÇÌìÉúµÄ˽ԿÎļþ£¬csr.csrÊÇÖ¤ÊéÇëÇóÎļþ£¬certificate.crtÊÇ×îÖÕÌìÉúµÄSSLÖ¤Êé¡£
NginxÉèÖÃHTTPS
ÔÚNginxµÄÉèÖÃÎļþÖУ¬¿ÉÒÔͨ¹ýÌí¼ÓÒÔϼ¸ÐÐÉèÖÃÀ´ÆôÓÃHTTPS£º
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖеÄlistenÖ¸Áî½ç˵Á˼àÌýµÄ¶Ë¿ÚºÍÐÒ飬ssl_certificateÖ¸Áî½ç˵ÁËSSLÖ¤ÊéµÄ·¾¶£¬ssl_certificate_keyÖ¸Áî½ç˵ÁË˽ԿÎļþµÄ·¾¶¡£
Ö¤ÊéÁ´ºÍÖÐÑëÖ¤Êé
ÔÚһЩÇéÐÎÏ£¬SSLÖ¤Êé¿ÉÄÜÓɶà¸öÖ¤Êé×é³É£¬ÆäÖÐÒ»¸öÊÇSSLÖ¤Êé×Ô¼º£¬ÆäÓàµÄÊÇÖÐÑëÖ¤Êé¡£ÔÚNginxµÄÉèÖÃÎļþÖУ¬¿ÉÒÔͨ¹ýÒÔÏ·½·¨ÉèÖÃÖÐÑëÖ¤Ê飺
server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/certificate.crt; ssl_certificate_key /path/to/private.key; ssl_trusted_certificate /path/to/intermediate.crt; }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖеÄssl_trusted_certificateÖ¸Áî½ç˵ÁËÖÐÑëÖ¤ÊéµÄ·¾¶¡£µ±ä¯ÀÀÆ÷ÓëNginx½¨ÉèÅþÁ¬Ê±£¬Nginx»á½«SSLÖ¤ÊéÁ´Ò»Í¬´«Êä¸øä¯ÀÀÆ÷£¬ÒÔ¹©ÑéÖ¤¡£
Ç¿ÖÆʹÓÃHTTPS
ÔÚÐí¶àÇéÐÎÏ£¬ÍøվϣÍûËùÓеÄHTTPÇëÇó¶¼×Ô¶¯Öض¨Ïòµ½HTTPS¡£¿ÉÒÔͨ¹ýÒÔÏ·½·¨ÉèÖÃNginxµÖ´ï´ËÄ¿µÄ£º
server { listen 80; server_name example.com; return 301 https://$host$request_uri; }
µÇ¼ºó¸´ÖÆ
ÉÏÊö´úÂëÖеÄreturnÖ¸ÁËùÓеÄHTTPÇëÇóÖض¨Ïòµ½HTTPS¡£
Ö¤ÊéÖÎÀí
ÔÚÏÖʵӦÓÃÖУ¬SSLÖ¤Êé¿ÉÄÜ»áÓâÆÚ»òÐèÒª¸üУ¬´ËʱÐèÒª¾ÙÐÐÏìÓ¦µÄÖ¤ÊéÖÎÀí¡£ÒÔÏÂÊÇһЩ³£¼ûµÄÖ¤ÊéÖÎÀí²Ù×÷ºÍÏìÓ¦µÄʾÀý´úÂ룺
Éó²éSSLÖ¤ÊéÐÅÏ¢£º
$ openssl x509 -in certificate.crt -text -noout
µÇ¼ºó¸´ÖÆ
Éó²éÖ¤ÊéÇëÇóÐÅÏ¢£º
$ openssl req -in csr.csr -text -noout
µÇ¼ºó¸´ÖÆ
ÑéÖ¤SSLÖ¤ÊéºÍ˽ԿÊÇ·ñÆ¥Å䣺
$ openssl rsa -in private.key -check $ openssl x509 -noout -modulus -in certificate.crt | openssl md5 $ openssl rsa -noout -modulus -in private.key | openssl md5
µÇ¼ºó¸´ÖÆ
ÑéÖ¤Ö¤ÊéÁ´µÄÓÐÓÃÐÔ£º
$ openssl verify -CAfile intermediate.crt certificate.crt
µÇ¼ºó¸´ÖÆ
ͨ¹ýÒÔÉÏÖ¤ÊéÖÎÀí²Ù×÷£¬¿ÉÒÔ¶ÔSSLÖ¤Êé¾ÙÐÐÉó²é¡¢ÑéÖ¤ºÍ¸üеȲÙ×÷¡£
×ܽ᣺
±¾ÎÄÆÊÎöÁËNginxµÄHTTPSÉèÖúÍÖ¤ÊéÖÎÀíµÄʵÏÖϸ½Ú£¬²¢¸ø³öÁËÏìÓ¦µÄ´úÂëʾÀý¡£Í¨¹ýÉÏÊöÉèÖúÍÖ¤ÊéÖÎÀí²Ù×÷£¬ÎÒÃÇ¿ÉÒÔÔÚNginxÉÏʵÏÖÇå¾²µÄHTTPSͨѶ£¬²¢¶ÔSSLÖ¤Êé¾ÙÐÐÓÐÓõÄÖÎÀí¡£
ÒÔÉϾÍÊÇÆÊÎöNginxµÄHTTPSÉèÖúÍÖ¤ÊéÖÎÀíʵÏÖϸ½ÚµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡