公司現在做的是醫療項目,現在使用的還全部是http網絡協議;一方面現在數據是裸奔狀態對用戶信息沒有保障,另一方面https已經是大勢所趨,因爲用戶們對自己的信息安全也越來越重視;還有從技術上來說,如果使用https網絡協議,就免去了自己去做加密這一部分工作。
所以想自己先做一個完整的測試,爲後續項目的更新打下基礎;先說一下我的環境:centos6.5操作系統,用nginx做代理,網站部署在tomcat上面,網站開發用的是jsp。
由於是內網測試,所以需要自己假設一臺DNS服務器,或者修改本機的hosts文件,可以進行域名訪問,我的是mac系統,我修改了本機的hosts文件,如下:
sudo vi /etc/hosts
然後在裏面加入下面一句,前面是服務器ip地址,後面是域名:
192.168.9.12 101.linuxidc.com
一、大致步驟。
1、安裝openssl,需要首先安裝gcc、zlib,一般系統自帶的openssl版本過舊需要安裝新的,看我的另一篇文章:安裝openssl
2、生成自簽證書,並給證書請求文件簽名
3、安裝nginx(https環境),需要首先安裝pcre、zlib、openssl,看我的另一篇文章:安裝nginx(支持SSL模塊) ,然後配置nginx.
二、說下自簽過程(轉自:http://www.linuxidc.com/Linux/2016-09/134826.htm)
前提:
1、主機要先安裝openssl
2、編譯安裝nginx時,要加上--with-openssl和--with-http_ssl_module
1、生成自簽字證書
[root@101 /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt
Generating a 2048 bit RSA private key
.............+++
...................................+++
writing new private key to '/root/ca.key'
Enter PEM pass phrase: #輸入密鑰保護密碼
Verifying - Enter PEM pass phrase: #確認密碼保護密碼
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangzhou
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:linuxidc
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:101.linuxidc.com
Email Address []:[email protected]
2、修改配置文件openssl.cnf
vim /etc/pki/tls/openssl.cnf
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
dir = /etc/pki/CA #證書的根目錄,要記住這個目錄
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
#unique_subject = no
new_certs_dir = $dir/newcerts
certificate = $dir/ca.crt # 修改這裏,表示簽名時使用的證書
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/private/cakey.pem
RANDFILE = $dir/private/.rand
3、複製證書到證書根目錄/etc/pki/CA下,並在該目錄下創建空文件index.txt和serial,並向serial輸入”01“
cd /etc/pki/CA
cp /root/ca.crt .
touch index.txt
touch serial
echo "01" >serial
4、生成服務器RSA私鑰/root/server.key
openssl genrsa -des3 -out /root/server.key 1024
5、爲私鑰去除口令
openssl rsa -in /root/server.key -out /root/server_nopwd.key
5、生成證書請求文件/root/server.csr
[root@101 /]# openssl req -new -key /root/server.key -out /root/server.csr
Enter pass phrase for /root/server.key: #輸入第4步生成的密鑰的保護密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
--------下面這部分應該和創建私有證書時填的一樣------------------------
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:guangzhou
Locality Name (eg, city) [Default City]:guangzhou
Organization Name (eg, company) [Default Company Ltd]:linuxidc
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:101.linuxidc.com
----------------------------------------------------------------
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:www.linuxidc.com
An optional company name []:linuxidc
6、用私有證書給證書請求文件/root/server.csr簽名
[root@101 CA]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 31 14:09:15 2016 GMT
Not After : Aug 31 14:09:15 2017 GMT
Subject:
countryName = CN
stateOrProvinceName = guangzhou
organizationName = linuxidc
organizationalUnitName = it
commonName = 101.linuxidc.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
18:80:30:B7:C6:11:61:AE:F3:62:9D:D0:33:D9:97:CB:45:5A:31:91
X509v3 Authority Key Identifier:
keyid:DA:99:4B:9B:29:A8:D8:14:54:FA:52:4B:1E:C3:E0:81:C6:A6:EF:42
Certificate is to be certified until Aug 31 14:09:15 2017 GMT (365 days)
Sign the certificate? [y/n]:yes
out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7、編輯nginx配置文件/etc/nginx/nginx.conf
-------在配置文件的特定區域加入/修改下面內容
server {
listen 443 ssl; #設置監聽的端口
server_name linuxidc;
ssl on;
ssl_certificate /root/server.crt;
ssl_certificate_key /root/server_nopwd.key;
8、重啓服務
~~~~完成,在客戶端上輸入https://x.x.x.x即可訪問
上面配置好以後,由於網站部署在tomcat下面並且是用jsp開發的,所以還需要配置nginx訪問靜態資源,完整配置如下:
server {
listen 443;
server_name 101.linuxidc.com;
location / {
proxy_pass http://192.168.9.12:8081/;
root /項目名/;
proxy_redirect off ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_next_upstream error timeout invalid_header;
}
location ~ .*\.(html|htm|ico|png|jpg|jpeg|js|css|bmp)$ {
proxy_pass http://192.168.9.12:8081;
}
}
tomcat下面的server.xml也需要配置:
1、在Engine標籤下面加入<Value .......,同時nginx也加入
nginx:
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
tomcat server.xml:
<Engine name="Catalina" defaultHost="localhost">
<Valve className="org.apache.catalina.valves.RemoteIpValve"
remoteIpHeader="X-Forwarded-For"
protocolHeader="X-Forwarded-Proto"
protocolHeaderHttpsValue="https"/>
這樣配置,可以是jsp中的request.getScheme()等函數,取到的一直是http而非實際的http或https。
2、server.xml中,Host標籤下,需要添加Context標籤,這樣可以不用加項目名字直接通過域名訪問,比如www.baidu.com而不是www.baidu.com/baidu
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Context path="" docBase="/home/wlwyl/apache-tomcat-doc/webapps/項目名" debug="0" />