watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=https practice Common ports ssh 22 telnet 23 ftp 21 rsync 873 http 80 mysql 3306 redis 6379 https 443 dns 53 php 9000 tomcat 8080 https Introduce What is? https? http It's the hypertext transfer protocol .

https practice

Common ports

ssh 22
telnet 23
ftp 21
rsync 873
http 80
mysql 3306
redis 6379
https 443
dns 53
php 9000
tomcat 8080

https Introduce

  1. What is? https?

    http It's the hypertext transfer protocol .( unsafe )

    https It's an encrypted transport protocol .( Encrypted data transmission is more secure , Websites that are not encrypted are easy to tamper with )

    When we use http Website time , Will be hijacked and tampered with , If the https agreement , So the data is encrypted in the process of transmission , therefore *** Unable to steal or tamper with data message information , At the same time, it can also avoid information leakage when the website is transmitting .

  2. How to use https, To configure

Certificate type

  1. Single domain name
  2. Multiple domains
  3. Tongpei domain name

matters needing attention

  1. https Certificate does not support renewal , You need to reapply after the expiration date .
  2. https Third level domain names are not supported , Such as :test.gong.xxx.com

http Three colors

  • Red : There are unsafe links in the web page http
  • yellow : Code contains http Unsafe connection
  • green : Secure links

Certificate type introduction

contrast Domain type DV Enterprise type OV Enhanced EV
Green address bar img Small lock mark +https img Small lock mark +https img Small lock mark + Company name +https
General purpose Personal sites and apps ; ordinary https Encryption requirements E-commerce sites and Applications ; SME sites Large financial platform ; Sites for large enterprises and government agencies
Audit content Domain name ownership verification Comprehensive enterprise authentication ; Domain name ownership verification The highest level of enterprise authentication ; Domain name ownership verification
Issue duration 10 minute -24 Hours 3-5 A working day 5-7 A working day
Single application period 1 year 1-2 year 1-2 year
Payment of security —— 125-175 Ten thousand dollars 150-175 Ten thousand dollars

Single machine implementation https

https The realization of the system needs to have ngx_http_ssl_module Support for , Installation method

This module is not built by default, it should be enabled with the --with-http_ssl_module configuration
#  Use nginx -V  Check to see if this module is installed .

Grammar format . official

    server {
     #  Turn on 443 port
        listen              443 ssl;
#  Location of certificate
        ssl_certificate     /usr/local/nginx/conf/cert.pem;
        ssl_certificate_key /usr/local/nginx/conf/cert.key;
    }

To configure

# 1、 Create the directory where the certificate is placed
[[email protected] ~]# mkdir /etc/nginx/ssl
#  Use openssl Orders act as CA Authorities create certificates ( Production does not use this method to generate certificates , Not recognized by the Internet black Certificate )
[[email protected] /etc/nginx/ssl]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus
........................................................................+++
......................+++
e is 65537 (0x10001)
#  Enter a password 4 position , It's just used in the configuration process
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[[email protected] /etc/nginx/ssl]# openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a 2048 bit RSA private key
.....................+++
...........................+++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:chongqing
Locality Name (eg, city) [Default City]:dazu
Organization Name (eg, company) [Default Company Ltd]:better
Organizational Unit Name (eg, section) []:yunxingweihubu
Common Name (eg, your name or your server's hostname) []:gong.com
Email Address []:[email protected]
#  Just follow the tips , In the domain name , What the teacher said is , To be the same as the top-level domain of the bound domain name , In fact, you can successfully access without using this domain name in the process of configuration
# req  -->  Used to create a new certificate
# new  -->  Indicates that a new certificate was created     
# x509 -->  Indicates that the format of the definition certificate is the standard format
# key  -->  Represents the private key file information of the call
# out  -->  Represents the output certificate file information
# days -->  Indicates the validity of the certificate
[[email protected] /etc/nginx/conf.d]# vi https.conf
server {
#  monitor 443 port
        listen 443 ssl;
        server_name www.shelldon.com;
#  Prevent the location of certificates and public keys
        ssl_certificate   ssl/server.crt;
        ssl_certificate_key  ssl/server.key;
        location / {
                root /website/https;
                index index.html;
        }
}
server {
        listen 80;
        server_name www.shelldon.com;
        #  User access http Force a jump when you're in 443
        return 302 https://$server_name$request_uri;
}
[[email protected] ~]# mkdir /website/https
[[email protected] ~]# echo https website > /website/https/index.html

Multiple implementation https

Load balancing configuration , In the actual process , Just configure... On load balancing https That's all right. , Intranet communication uses http.

[[email protected] ~]# vi /etc/nginx/conf.d/upstream.conf
upstream blog {
        server 172.16.1.7;
        server 172.16.1.8 down;
        server 172.16.1.9 down;
}
# 80 It's all about http Strong go https
server {
        listen 80;
        server_name wp.gong.com;
        return 302 https://$server_name$request_uri;
}
server {
        listen 80;
        server_name zh.gong.com;
        return 302 https://$server_name$request_uri;
}
server {
        listen 443 ssl;
        server_name wp.gong.com;
        ssl_certificate   ssl/server.crt;
        ssl_certificate_key  ssl/server.key;
        location / {
                proxy_pass http://blog;
                include proxy_params;
        }
}
server {
        listen 443 ssl;
        server_name zh.gong.com;
        ssl_certificate   ssl/server.crt;
        ssl_certificate_key  ssl/server.key;
        location / {
                proxy_pass http://blog;
                include proxy_params;
        }
}

web Configuration in

[[email protected] ~]# vi /etc/nginx/conf.d/wp.conf
server {
        listen 80;
        server_name wp.gong.com;
        root /website/wp;
        index index.php;
        location ~ \.php$ {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   #  I want to tell you here php, Load balancing is already used there 80 Jump 443 了 , Use https visit
   fastcgi_param HTTPS on;
                include fastcgi_params;
        }
}
[[email protected] /etc/nginx/conf.d]# vi zh.conf 
server {
        listen 80;
        server_name zh.gong.com;
        root /website/zh;
        index index.php;
        location ~ \.php$ {
                fastcgi_pass 127.0.0.1:9000;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
   
   fastcgi_param HTTPS on;
                include fastcgi_params;
        }
}

ssl Optimization parameters

https Used in load balancing .

server {
    listen 443 ssl;
    server_name blog.driverzeng.com;
    root /var/www/wordpress;
    index index.php;
    #  Specify the path to the certificate
    ssl_certificate   ssl/215089466160853.pem;
    ssl_certificate_key  ssl/215089466160853.key;
    
    include ssl_params;
    }
  # After setting up ssl If you disconnect after shaking hands , stay session_timeout Connect again in time , There is no need to obtain the public key again to establish the handshake , You can use the previous connection
 ssl_session_cache shared:SSL:10m;
 #ssl Time out after disconnection
 ssl_session_timeout 1440m;  
  # Configure cryptographic socket protocol
 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; 
  # Use TLS Version agreement
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
  #nginx Decide which protocols to use to communicate with the browser
 ssl_prefer_server_ciphers on; 
    
    
[[email protected] /etc/nginx]# vi ssl_params
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1440m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;