526互联

https初识

发布时间 2023-12-30 09:05:19作者: yuyongqi

1.服务器环境,两台服务器做前端代理,两台服务器做后端真实服务器。这里都是nginx

代理服务器 后端服务器
172.16.5.50 172.16.5.52
172.16.5.51 172.16.5.53

2、 后端两台服务器修改nginx配置文件:

cd /etc/nginx/conf.d
vim www_hello80.conf 
###

server {
        listen  80;
        server_name  www.hello80.com hello80.com;
                location / {
                         root      /www/test-ssl;
                         #           try_files $uri $uri/  /index.html;
                        index  index.html index.htm;
                        }
        }

以下为单机版本,可以单机测试。

cd /etc/nginx/conf.d
vim ssl-hk.conf
###
        server {
        listen 80;
        server_name www.hello80.com hello80.com;
        #rewrite ^(.*) https://$host$1 permanent;
                return 307 https://$server_name$request_uri;
                }

        server {
        listen                          443 ssl;
                server_name                    www.hello80.com hello80.com;
                ssl_certificate                 /etc/nginx/ssl/www.hello80.com.pem;
                ssl_certificate_key             /etc/nginx/ssl/www.hello80.com.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
        location / {
            root      /www/test-ssl;
             #           try_files $uri $uri/  /index.html;
            index  index.html index.htm;
        }
        }

单机在本机创建存放证书目录,上传证书。 集群在两台代理服务器执行这一步。172.16.5.50,172.16.5.51

mkdir /etc/nginx/ssl/# 上传完成查看
[root@hk2 .ssh]# ll /etc/nginx/ssl/total 8-rw-r--r-- 1 root root 1675 Dec 23 11:45 www.hello80.com.key-rw-r--r-- 1 root root 3826 Dec 23 11:45 www.hello80.com.pem

创建网页目录,编辑index文件

mkdir /www/test-ssl
cat > /www/test-ssl/index.html << EOF
> <h1>
> test ssl -172.16.5.52
> </h1>
> EOF

修改完成后重新加载nginx

3、修改代理层50,51

cd /etc/nginx/conf.d
vim www_hello80_ssl.conf
###
upstream www_hello80_servers {
        server 172.16.5.52 weight=100;
        server 172.16.5.53 weight=300;
}
        server {
        listen 80;
        server_name www.hello80.com hello80.com;
        #rewrite ^(.*) https://$host$1 permanent;
        return 307 https://$server_name$request_uri;
           }
server {
    listen 443 ssl;
    server_name www.hello80.com hello80.com;
                ssl_certificate                 /etc/nginx/ssl/www.hello80.com.pem;
                ssl_certificate_key             /etc/nginx/ssl/www.hello80.com.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
    location / {
        proxy_pass http://www_hello80_servers/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;
    }
}

 

可以50上编辑完,scp到51上
scp www_hello80_ssl.conf 172.16.5.51:/etc/nginx/conf.d/

证书从52向50和51同步拷贝

scp -r  /etc/nginx/ssl/ 172.16.5.50:/etc/nginx/
scp -r  /etc/nginx/ssl/ 172.16.5.51:/etc/nginx/

nginx -t

nginx -s reload

指向hosts文件,验证 172.16.5.55 wordpress.hello.com www.hello80.com hello80.com

自签名证书,部署到wordpress域名

如何自己去创建https证书

证书得创建,包含了创建者的信息

1.要安装openssl命令
yum install openssl openssl-devel -y

把nginx也给装好

[nginx-stable]
name=nginx stable repo
baseurl=http://nginx.org/packages/centos/$releasever/$basearch/
gpgcheck=1
enabled=1
gpgkey=https://nginx.org/keys/nginx_signing.key


yum install nginx -y





2.创建证书的目录,通过命令去创建
mkdir -p /etc/nginx/ssl-cert/
cd /etc/nginx/ssl-cert/

创建私钥文件
# 阿里云rsa非对称加密算法,密钥长度是2048,输出密钥信息到server.key文件中
# -idea是加密算法的名字

openssl genrsa -idea -out server.key 2048
输出私钥密码,为了保护私钥
必须输入密码才可以创建
chaoge666

[root@lb-5 /etc/nginx/ssl-cert]#cat server.key 
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: IDEA-CBC,904B1F32A100884B

6prXU7IGtpZ4SZ6QM1TZEBNWzjWUuTi+0KfdW3b6ygnvpjz2i5s/EyEROsD2bwQX
f2hGD6NYVsGBLLwMd2hV3CwrSWtcXsy/JgRZAKk4lCmZY5GJegeFK03VmCU/Lwev
h/eQBIjd/cOF/pnaBSscqCaDp57L1pICjedDqyT5wvssJa4Ub0+sdn6P9ao8yMfo
hr6mdCh6IwxXwf6DxfcWCgCPghdNlaxd8zgZybkE8UaelteXXZmHzBE4+znwutG3
NM8i8USoU6Opa9PZcJXmAdvR75djp3qUJZ87Lkm3Ou5r4Lz4gJmj0kFnXrW1Au86
WYA+q7X53FgAIrND9MVv/8ivxja1sQP4bZ3vkuy+G0zXGoEy2DWINfID+4lKaX7F
gQO8mwzMcsEBC7mMb6MTAdLvld+d3X7UQZ+YNI4t4Ytw4/jVwM58EX+ZAb0STvfg
23mIfsqNbRehsXvlF77z9UT8nvZgomb1KY+Ba0Ny3rCL4ZtFm0zzrpgBKR3TDsiI
c2lRwp0TfnnJYsZO3ih2J9s0WyAE4ikQHJ87UByOfTuhIn2Mr3gB/9wNHVeieOuw
VooHi9/sGLth7PNJIz/O+7YVCNEt69kCRQWJS1ouF/rpVbKQ4HwtObVVDAZdSGPg
YSi6ruvhOadwjacEFNb6fxYko/hodAgWCKySKKWVGzy8sFfa4h9XVdGpxLXiAUwH
4Pf3QWooMbJ5QDiI67tBG8TMc2lFQWFJhWSJK7HbC0bIsTjvABBLs2bO06laJX9J
p6C8k5g/iTUoAzIIswX4r1UrRrVyIMi+j2bHs01PkvU7kytj1E4p7tZ5mIiHryO1
UgDNWoJAJYA/pXp5EaHwTHv7xnfrMCqwiNGYXikeL5jqkYROTH1KYmiTY4k3UbX6
eaIG2py1+I4ULmjhy9rZ5XGUuOr6kF80Q6dp3bFe3+DaKGhEF+9snX65wPImyCsg
kVGowZIZSX7uHBqaK5FYBH56lNxjtgYh0sgiuaWkp0Gd68wMDYP2lx3pTwHU4Y60
GoL3zv0x+fdY4SeMsxDBp9rRYihLQU7HVZ3kMm7MwehdiXUDWoCVFnkdvoSstZD5
FxMK37VSCueal+Ov0E4akxHeI7yELVqB7656w1wMI1WWOO1cOjfGIBKC630V9OBv
dyex4zDdKqOqFtIXXvmTXXvRw0g7WAM/NCQ4ji2atCqSEU7MyRxABJaZ7meCofGI
gxBQ8QwSjEmVItl8yzSHdBlpDxnSNjQQ8BVeHlhhpgCRDZBKCymQBpGDBIpVp7SX
rbGmtxavox9X8nfPm8l8fDojt9KXUhyFpiV3aUOBMKlRN/RZ2/Y7FK/m/OHgk1Y4
dFaPEjb0Dmbm+5ZK7ymIG2PQYfCHEY14fRnfPj9slxsPSmhLBtdTZoGbl/324LHp
JVrqBYvVv5ZfuLgMjWAtl2SbWzA9UgVSfUt96zOwyibMvJD8sXBIMWpCem0JqbH9
P+Hpf3klqJh16EqamXI/qlj/KxSbsyQ2dzv5A24VvWm4U0AyScfe+vyWCGa/xw0l
JOAl3FWgMY0xSY8PGWZUQBkyj1Bqq5lmLa0Ag9lPZnQuAUNwJVUskg==
-----END RSA PRIVATE KEY-----



然后基于该私钥文件,创建证书(创建公钥)

# req创建证书,100年  证书规格,类型是-509类型,-newkey rsa:2048 基于rsa非对称加密算法,创建长度是2048的文件,创建证书,指定以哪个私钥去创建
-out server.crt  将公钥输出到server.crt文件中


# 你在创建公钥,证书的时候,会让你填写企业,组织信息

openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt

修改代理层nginx配置文件

cd /etc/nginx/conf.d/
###
upstream word_press {
        server 172.16.5.52;
       # server 172.16.5.53:80;
}
        server {
        listen 80;
        server_name wordpress.hello.com;
        #return 307 https://$server_name$request_uri;
            location / {
        proxy_pass http://word_press/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;
    }
  access_log /var/log/nginx/wordpress.access.log main;
  error_log /var/log/nginx/wordpress.error.log;
    }
server {
    listen 443 ssl;
    server_name wordpress.hello.com;
                ssl_certificate                 /etc/nginx/ssl/server.crt;
                ssl_certificate_key             /etc/nginx/ssl/server.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
    location / {
        proxy_pass http://word_press/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;
    }
  access_log /var/log/nginx/wordpress_ssl.access.log main;
  error_log /var/log/nginx/wordpress_ssl.error.log;

}

还需要修改php的配置,下边支持https部分。

目录不一样。

cd /code/wordpress

其他按照文档修改

 hk123456

 

重装wordpress,换hello80.com域名

管理用户和密码

http://wordpress.hello80.com/wp-admin
admin
EWI7Zkur^*895Jo)Z0

支持https

参考 https://blog.csdn.net/weixin_43983960/article/details/120096009

cd /code/wordpress-new

1、找到代码 require( ABSPATH . WPINC . ‘/option.php’ ); 在下方添加:

vim wp-includes/functions.php
add_filter('script_loader_src', 'agnostic_script_loader_src', 20,2); 
function agnostic_script_loader_src($src, $handle) {
  return preg_replace('/^(http|https):/', '', $src); 
} 
add_filter('style_loader_src', 'agnostic_style_loader_src', 20,2); 
function agnostic_style_loader_src($src, $handle) { 
  return preg_replace('/^(http|https):/', '', $src); 
}

2、路径:在wordpress网站根目录中找到,wp-config.php文件,

在文件开头位置中,添加如下代码:

$_SERVER['HTTPS'] = 'on';

define('FORCE_SSL_LOGIN',true);

define('FORCE_SSL_ADMIN', true);

vim wp-config.php
$_SERVER['HTTPS'] = 'on';
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

3、修改网站后台的https修改

服务器控制台开启https之前,先登录网站后台,修改了wordpress地址和站点地址,再操作第一,二步骤,应该也是可以的实现的,如图:

http://wordpress.hello80.com/wp-admin

将http改成https

重新安装时的数据库,在51服务器上

MariaDB [(none)]> create database wordpress_new;

重装后的配置文件我贴一下:

代理层50和51:

[root@template conf.d]# vim wordpress_hello80.conf 
###
upstream word_press_hello80_servers {
        server 172.16.5.52;
        server 172.16.5.53:80;
}
        server {
        listen 80;
        server_name wordpress.hello80.com;
        return 307 https://$server_name$request_uri;
    }
server {
    listen 443 ssl;
    server_name wordpress.hello80.com;
                ssl_certificate                 /etc/nginx/ssl/wordpress.hello80.com.pem;
                ssl_certificate_key             /etc/nginx/ssl/wordpress.hello80.com.key;
                ssl_session_timeout             5m;
                ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
                ssl_ciphers                             ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
                ssl_prefer_server_ciphers       on;
    location / {
        proxy_pass http://word_press_hello80_servers/;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 30;
        proxy_send_timeout 60;
        proxy_read_timeout 60;
        proxy_buffering on;
        proxy_buffer_size 32k;
        proxy_buffers 4 128k;
    }
  access_log /var/log/nginx/w_80_ssl.access.log main;
  error_log /var/log/nginx/w_80_ssl.error.log;

}

后端真实服务器52和53

[root@hk2 conf.d]# cat wordpress1.conf 
server{
    listen 80;
    server_name wordpress.hello80.com;

    # 静态请求,资源存放路径
    root /code/wordpress-new;
    index index.php index.html;

    # 动态请求处理
    #
    location ~ \.php$ {

        root /code/wordpress-new;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include fastcgi_params;
    }
  access_log /var/log/nginx/wordpress_80.access.log main;
  error_log /var/log/nginx/wordpress_80.error.log;
}

nfs文件共享

50服务器

[root@template conf.d]# vim /etc/exports
/wordpress-uploads  172.16.5.0/24(rw,sync,all_squash,anonuid=666,anongid=666)
/wordpress-new-uploads  172.16.5.0/24(rw,sync,all_squash,anonuid=666,anongid=666)

修改完重启nfs

systemctl restart nfs

创建共享目录,和修改权限

mkdir  /wordpress-new-uploads
chown www.www /wordpress-new-uploads/ -R

52放53服务器挂载共享目录

mount -t nfs 172.16.5.50:/wordpress-new-uploads /code/wordpress-new/wp-content/uploads/

ssh 密钥登录

linux服务器上

cd /root/.ssh
生成密钥对,一路回车就行:
ssh-keygen 
[root@hk2 .ssh]# ssh-keygen 
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:kHc5zsKhdu0CpS9V3AxVU0JAgkQOGAeg+wZAOnmrlKU root@hk2
The key's randomart image is:
+---[RSA 2048]----+
| ...o+ooo.oo++=..|
|oo  .. +.. *   o |
|* ..  o = * o    |
|.++.   B B .     |
|oE.   = S +      |
|.+   . = o       |
|. o   . o .      |
| .     . .       |
|                 |
+----[SHA256]-----+
就会生成以下两个文件
[root@hk2 .ssh]# ll
total 12
-rw------- 1 root root 1675 Dec 23 18:55 id_rsa
-rw-r--r-- 1 root root  390 Dec 23 18:55 id_rsa.pub

下一步,把公钥拷贝到被登录服务器。就会把生成的公钥内容在authorized_keys下追加一行,如果没有这个认证文件,会创建。
[root@hk2 .ssh]# ssh-copy-id 172.16.5.52
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '172.16.5.52 (172.16.5.52)' can't be established.
ECDSA key fingerprint is SHA256:MbAFOZtVmy5T1VrVw6ClpSUFtUsWx20sM7cSrsrq66g.
ECDSA key fingerprint is MD5:2e:7a:01:9e:4e:d0:b6:f0:a3:c0:02:d1:23:55:37:63.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@172.16.5.52's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '172.16.5.52'"
and check to make sure that only the key(s) you wanted were added.

[root@hk2 .ssh]# ll
total 16
-rw------- 1 root root  390 Dec 23 18:56 authorized_keys
-rw------- 1 root root 1675 Dec 23 18:55 id_rsa
-rw-r--r-- 1 root root  390 Dec 23 18:55 id_rsa.pub
-rw-r--r-- 1 root root  692 Dec 23 18:56 known_hosts

这个时候,52服务器就可以免密登录到已拷贝公钥的服务器。

 windows客户端

SecureCRT

将私钥下载到本地,创建连接时选择用私钥登录就可以了。