先说下https也就是ssl证书,一般我们认为https是安全的,但是SSL 证书的信用链体系并不安全。特别是在某些国家(咳咳,你们懂的)可以控制 CA 根证书的情况下,中间人攻击一样可行。另外,在客户端被植入无数后门、木马的状况下,HTTPS 连接的作用非常有限。
我不使用的原因
更换https和替换域名代价是一样的
又拍云不支持自定义域名https
好了,我们可以开始配置ssl了。一般来说我比较推荐namecheap的ssl证书,因为比较便宜,毕竟对大部分个人博客来说只是想要那个绿锁提升逼格罢了~
使用OpenSSL生成证书
cd /usr/local/nginx/conf/
/usr/local/nginx/conf# openssl genrsa -out yourdomain.pem 2048
Generating RSA private key, 2048 bit long modulus
........+++
................................................................................................................+++
e is 65537 (0x10001)
生成证书
openssl req -new -key yourdomain.pem -out yourdomain.csr
会出现以下提示
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
按照提示输入相应信息即可
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:Bigfa
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:yourdomain.com
Email Address []:admin@yourdomain.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
执行cat yourdomain.csr
-----BEGIN CERTIFICATE REQUEST-----
MIICxDCCAawCAQAwfzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAO
BgNVBAcMB0JlaWppbmcxDjAMBgNVBAoMBUJpZ2ZhMRcwFQYDVQQDDA55b3VyZG9t
YWluLmNvbTEjMCEGCSqGSIb3DQEJARYUYWRtaW5AeW91cmRvbWFpbi5jb20wggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9fsxThwLzCd54s2GMUcjlleCj
LTf9bYGQyIjn+6z7kJbDbcrkbZxMysfRnFLa6u5oK7S9PQfGHK/gZeHfSLXbD/GL
wi171tZpnQHjfLjMbHEUEUCFQD7ueek/v3/Tr+T0+em1gQt/93K2dqv7Cx+bupwc
zNkQmqNgqslC4sdKQZjLUIHYLr/j8lQQLOOn9/PiuNOGCTaK5g9TA20oVCjpJZuf
1eN7jYUOtvy4IGhq4BkNJHHmg32cxH9mZOgmhohq+pbmi0PP8E2OFTzpyZ6OcFtW
IcSRq3UpjPw8EYfEg4lDC0Xee2Yom7Is8yBWAPcNKxpvFphlHirHOF6xifRzAgMB
AAGgADANBgkqhkiG9w0BAQUFAAOCAQEAN9OnT8J1VnO74bXbJS9ub7DGf94klpoy
YQWePKelnImU1Zszdg3jYtKWZVcNYhM5QfZ16CDKwYEQeQkgy1xSBKkwpY24ICe+
iX1sczvBY/gUq+xNArL5La7/Tow3KrJZJuFc1iVESBG0wU8zu9ZcnwbuRj0Dn8qj
fMqwwct+0Xz2zXxiqtVCPNQXqa/YRANGnFnBBPErBnaL/j439s4TBasSiIyb7TE+
Ku9LrfecL5w8+05NFPcG1ArpbQJDuJIIAk1itTMLEMGqUYWD6MYcksH4FcTr70Vw
f8Ag9+Csyf5aQxQVgNDCgc3zwHTg0Bpbldx8+HiCiDXjaK4qAXKBRQ==
-----END CERTIFICATE REQUEST-----
把—
NameCheap生成数字证书
因为新证书还没有域名可用,所以这部分截图以后补上。
进入Namecheap管理界面,点击“Activate Now”即可激活SSL产品。
之后会出现一个提交证书向CA(数字证书颁发机构)提交OpenSSL生成的证书的页面,把前面复制的内容粘贴进去,系统选择nginx。
接下来是选择域名管理员邮箱,邮箱必须是能够接收到邮件。同时确认一下生成证书时填写的信息是否正确。选用默认那个特别长的会发送到你namecheap的注册邮箱。
之后提交订单即可。
过段时间会收到一封验证邮件,点击邮件中的验证地址并并填写验证码即可。
过段时间邮箱就会收到发来的证书,下载附件的压缩包解压,里面好像有4个文件,选择你yourdomain.pem。上传到你的服务器,注意路径,后面配置的时候需要加载这个证书
Nginx虚拟主机设置SSL
ssl是443端口,注意证书路径。
server
{
listen 443 ;
server_name fatesinger.com;
ssl on;
ssl_certificate /usr/local/nginx/conf/fatesinger_com.crt;
ssl_certificate_key /usr/local/nginx/conf/bigfa.pem;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/fatesinger.com;
access_log /home/wwwlogs/fatesinger.com.log access;
}
全站https跳转
if ($server_port = 80) {
return 301 https://$server_name$request_uri;
}
if ($scheme = http) {
return 301 https://$server_name$request_uri;
}
error_page 497 https://$server_name$request_uri;
最后就是ssl证书本身没多少钱,也有免费的,如果我是新站的话我肯定毫不犹豫的配置上ssl证书,但是现在对我来说全站配置ssl代价还是蛮大的,所以只在部分URL启用了https,如何只在部分url使用https可以接着往下看
在nginx的配置中,必须同时配置两个端口,一个是80一个是443。
server {
root /var/www/
location / {
}
location /user {
rewrite ^ https://$http_host$request_uri? permanent;
}
}
这个带/user的url会自动跳转为https
然后在443端口进行相反的设置
Then, in your 443 server, you do the opposite.
server {
listen 443;
root /var/www/
location / {
rewrite ^ http://$http_host$request_uri? permanent;
}
location /user {
}
}
。https肯定是趋势,如果是新站还不差那几十块钱的话就配置一个吧。