全站HTTPS

1.环境准备

主机	外网IP	内网IP	身份
lb01	10.0.0.4	172.16.1.4	负载均衡
web01		172.16.1.7	web服务器
web03		172.16.1.9	web服务器

 

2.配置web服务器

1）配置nginx

[root@web01 ~]# vim /etc/nginx/conf.d/linux.https.com.conf
server {
    listen 80;
    server_name linux.https.com;

    location / {
        root /code/https;
        index index.html;
    }   
}

2）配置站点

[root@web01 ~]# mkdir /code/https
[root@web01 ~]# echo "web01111111" > /code/https/index.html

[root@web03 ~]# mkdir /code/https
[root@web03 ~]# echo "web033333333" > /code/https/index.html

3）测试访问

[root@web01 ~]# systemctl restart nginx
[root@web03 ~]# systemctl restart nginx

 

3.配置负载均衡服务器

1）创建存放证书的目录

[root@web01 /code]# mkdir /etc/nginx/ssl_key
[root@web01 /code]# cd /etc/nginx/ssl_key/

2）生成证书

#使用openssl命令充当CA权威机构创建证书（生产不使用此方式生成证书，不被互联网认可的黑户证书）
[root@web01 /etc/nginx/ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
....+++
..................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key: 123456
Verifying - Enter pass phrase for server.key: 123456


#生成自签证书，同时去掉私钥的密码
[root@web01 ssl_key]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
..................................................................................................+++
...................................................................................................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:zhongguo
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN   
State or Province Name (full name) []:meiguo
Locality Name (eg, city) [Default City]:riben
Organization Name (eg, company) [Default Company Ltd]:heiyiren
Organizational Unit Name (eg, section) []:heiyiren
Common Name (eg, your name or your server's hostname) []:kenan
Email Address []:123@qq.com


#证书生成后两个文件
[root@web01 /etc/nginx/ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1387 Sep  4 11:30 server.crt
-rw-r--r-- 1 root root 1704 Sep  4 11:30 server.key

 

3）配置nginx

[root@lb01 ~]# vim /etc/nginx/conf.d/linux.https.com.conf
upstream https_web {
    server 172.16.1.7:80;
    server 172.16.1.9;
}

server {
    listen 80;
    server_name linux.https.com;
    rewrite (.*) https://linux.https.com$1;
}

server {
    listen 443 ssl;
    server_name linux.https.com;
    ssl_certificate /etc/nginx/ssl_key/server.crt;
    ssl_certificate_key /etc/nginx/ssl_key/server.key;
    
    location / {
        proxy_pass http://https_web;
        include proxy_params;
    }
}

 

3）重启访问

[root@lb01 ~]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
[root@lb01 ~]# systemctl restart nginx

#配置hosts
10.0.0.4   linux.https.com