一、HTTP证书

1.购买证书(免费的3个月有效期 到期更换 每年每个账号可申请20个免费)
2.自己充当CA机构生成假证


生成证书流程

1.创建存放证书的目录
[root@web01 ~]# mkdir -p /etc/nginx/ssl_key
[root@web01 ~]# cd /etc/nginx/ssl_key
[root@web01 ssl_key]# 

2.生成证书
[root@web01 ssl_key]# openssl genrsa -idea -out server.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
.................................................................................................................................................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:		# 输入密码 1234
Verifying - Enter pass phrase for server.key: # 再次输入 1234
[root@web01 ssl_key]# ll
total 4
-rw------- 1 root root 1747 Dec 17 08:37 server.key



[root@web01 ssl_key]# openssl req -days 36500 -x509 \
> -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
Generating a RSA private key
...........................................................................+++++
..........+++++
writing new private key to 'server.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:CN
Locality Name (eg, city) []:BJ   
Organization Name (eg, company) [Internet Widgits Pty Ltd]:oldboy
Organizational Unit Name (eg, section) []:oldboy
Common Name (e.g. server FQDN or YOUR name) []:CN
Email Address []:11@qq.com
[root@web01 ssl_key]# ll
total 8
-rw-r--r-- 1 root root 1367 Dec 17 08:40 server.crt
-rw------- 1 root root 1704 Dec 17 08:38 server.key

面试: 如何查看证书的有效时间
[root@web01 /etc/nginx/ssl_key]#openssl x509 -in server.crt -noout -enddate
notAfter=Mar 17 23:59:59 2025 GMT

二、HTTP证书配置

[root@web01 /etc/nginx/conf.d]#vim test.conf
server {
         listen 443 ssl;
         server_name www.zkl98.cn;
         root /code;
         index index.html;
         ssl_certificate   ssl_key/server.crt;
         ssl_certificate_key  ssl_key/server.key;
}
server {
        listen 80;
        server_name www.zkl98.cn;
        return 302 https://$server_name$request_uri;
}
[root@web01 /code]#cat index.html 
web01......

三、集群实现HTTP证书

web01 配置静态页面
[root@web01 /etc/nginx/conf.d]#cat test.conf
server {
        listen 80;
        server_name www.zkl98.cn;
        root /code;
        index index.html;
}
[root@web01 /code]#cat index.html 
web01......

web02配置静态页面
[root@web02 /etc/nginx/conf.d]#cat test.conf 
server{
        listen 80;
        server_name www.zkl98.cn;
        root /code;
        index index.html;
}
[root@web02 /code]#cat index.html 
web02....

负载均衡配置
1.将证书拷贝到负载均衡服务器
[root@web01 /etc/nginx]#scp -r /etc/nginx/ssl_key/ 10.0.0.5:/etc/nginx/
2.nginx配置
[root@lb /etc/nginx/conf.d]#vim test.conf
upstream web {
        server 172.16.1.7:80;
        server 172.16.1.8:80;
}
server {
        listen 443 ssl;
        server_name www.zkl98.cn;
        ssl_certificate   ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        #自定义设置使用的TLS协议的类型以及加密套件（以下为配置示例，请您自行评估是否需要配置）
     #TLS协议版本越高，HTTPS通信的安全性越高，但是相较于低版本TLS协议，高版本TLS协议对浏览器的兼容性较差。
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        location / {
        proxy_pass http://web;
        include proxy_params;
        proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
}
}

server {
        listen 80;
        server_name www.zkl98.cn;
        return 302 https://$server_name$request_uri;
}

四、配置wordpress实现证书

[root@lb /etc/nginx/conf.d]#vim lb.conf
upstream webs {
        server 172.16.1.7;
        server 172.16.1.8;
}
server {
        listen 443 ssl;
        server_name www.wp.com;
        ssl_certificate   ssl_key/server.crt;
        ssl_certificate_key  ssl_key/server.key;
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

        location / {
        proxy_pass http://webs;
        include proxy_params;
        proxy_next_upstream error timeout http_500 http_502 http_503 http_504;
}
}
server {
        listen 80;
        server_name www.wp.com;
        return 302 https://$server_name$request_uri;
}

web01和web02开启php支持https
[root@web01 /etc/nginx/conf.d]#cat wp.conf 
server{
	listen 80;
	server_name www.wp.com;
	root /code/wordpress;
	index index.php index.html;
	

	location ~ \.php$ {
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
	include  fastcgi_params;
	fastcgi_param HTTPS on;		# 开机PHP对HTTPS的支持
}
}

五、阿里云单台实现HTTPS

1.购买ESC服务器
2.安装nginx
[root@web01 ~]# yum -y install nginx
配置nginx文件
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80;
        server_name  www.zkl98.cn;
        root         /code;

        include /etc/nginx/default.d/*.conf;
}
}
[root@web01 nginx]# systemctl restart nginx
[root@web01 nginx]# mkdir /code
[root@web01 nginx]# echo web01..... > /code/index.html

3.配置nginx实现https证书
上传下载的证书
[root@web01 nginx]# unzip 16368254_www.zkl98.cn_nginx.zip 
Archive:  16368254_www.zkl98.cn_nginx.zip
Aliyun Certificate Download
  inflating: www.zkl98.cn.pem        
  inflating: www.zkl98.cn.key 
  
 配置nginx
 [root@web01 nginx]# cat nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    include /etc/nginx/conf.d/*.conf;

    server {
        listen 443 ssl;
        server_name  www.zkl98.cn;
        root         /code;
	ssl_certificate   www.zkl98.cn.pem;
        ssl_certificate_key  www.zkl98.cn.key;
        include /etc/nginx/default.d/*.conf;
}
server {
	listen 80;
	server_name www.zkl98.cn;
	return 302 https://$server_name$request_uri;
}
}

六、配置负载均衡

1.阿里云直接购买负载均衡
2.配置负载均衡
3.实现监听80端口-->转发443
4.实现监听443端口
单实例最大支持100W QPS（每秒请求数）和100G处理能力。