首页 > 其他 > 详细

nginx -实现同一主机IP地址多个加密主机头

时间:2021-06-04 22:34:51      阅读:23      评论:0      收藏:0      [点我收藏+]

  测试环境下,采用自生成的证书和私钥

一、生成证书和私钥

  1、进入certs这个目录,在这个目录下使用make 可以直接生成证书

cd /etc/ssl/certs

  2、修改Makefile文件,去掉里面生成证书自动加密

vim Makefile 

  %.key:
    umask 77 ; \
    /usr/bin/openssl genrsa -aes128 $(KEYLEN) > $@

修改为:

%.key:
        umask 77 ;         /usr/bin/openssl genrsa  $(KEYLEN) > $@   

  3、生成www.test.com 的证书和私钥

[18:55:06 root@localhost certs]#make test.com.crt
umask 77 ; /usr/bin/openssl genrsa  2048 > test.com.key
Generating RSA private key, 2048 bit long modulus
.............................+++
...........................................................................................................................................................................+++
e is 65537 (0x10001)
umask 77 ; /usr/bin/openssl req -utf8 -new -key test.com.key -x509 -days 365 -out test.com.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai                 
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:sh
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your servers hostname) []:www.test.com
Email Address []:

  4、生成www.test.org的证书和私钥文件

[18:58:06 root@localhost certs]#make test.org.crt
umask 77 ; /usr/bin/openssl genrsa  2048 > test.org.key
Generating RSA private key, 2048 bit long modulus
....................................................................+++
...........................+++
e is 65537 (0x10001)
umask 77 ; /usr/bin/openssl req -utf8 -new -key test.org.key -x509 -days 365 -out test.org.crt 
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ., the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:sh
Locality Name (eg, city) [Default City]:sh
Organization Name (eg, company) [Default Company Ltd]:www.test.org
Organizational Unit Name (eg, section) []:sh
Common Name (eg, your name or your servers hostname) []:www.test.org  
Email Address []:

只有标红的地方重要,其他地方可以随便填

  5、在存放nginx配置文件的家目录下,创建用于存放证书和私钥的文件夹

mkdir /etc/nginx/ssl/

  6、将刚刚生成的私钥文件和证书移动到ssl文件夹下

mv test.* /etc/nginx/ssl/

  7、将证书文件和私钥的权限设置为600

chmod 600 /etc/nginx/ssl/*

二、修改nginx配置文件

  1、创建用于存放主页的文件夹

mkdir /data/test{com,org} -pv

  2、生成测试页面

echo /data/testcom/index.html > /data/testcom/index.html
echo /data/testorg/index.html > /data/testorg/index.html

  3、使用虚拟主机,修改虚拟主机配置文件

vim /etc/nginx/conf.d/test.conf

(这里的名字叫什么无所谓,后缀是conf就行(没有这个文件就新建))

server {
        listen 443 ssl;
    listen 80;
    server_name www.test.com;
#指定家目录所在位置
    root /data/testcom/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.com.crt;
    ssl_certificate_key /etc/nginx/ssl/test.com.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.com.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.com/$1 redirect;
      }
}
#另外一个主机
server {
        listen 443 ssl;
    listen 80;
    server_name www.test.org;
#指定家目录所在位置
    root /data/testorg/;
#秘钥和证书的具体位置
    ssl_certificate /etc/nginx/ssl/test.org.crt;
    ssl_certificate_key /etc/nginx/ssl/test.org.key;
    ssl_session_cache shared:sslcache:20m;
#ssl会话超时时间 10分钟
    ssl_session_timeout 10m;
#生成独立的日志文件,采用main格式,这个格式是在nginx的主配置文件中定义的
    access_log /var/log/nginx/test.org.log main;
#设置当使用https访问任意目录,自动跳转到https
     if ( $scheme = http ) {
         rewrite ^/(.*)$ https://www.test.org/$1 redirect;
      }
}

  4、检查语法是否有错误

[19:32:47 root@localhost data]#nginx -t

  5、返回如下则正常

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

  6、启动服务

nginx

三、测试访问

  1、修改测试的主机的hosts文件

Windows:

C:\Windows\System32\drivers\etc\hosts

Linux:

vim /etc/hosts

都是在最后一行添加IP地址和对应的主机头

192.168.1.4 www.test.com www.test.org
                       

由于目前的域名都是解析不了的,所以测试环境下,可以直接修改hosts文件

   2、curl 浏览器测试访问 www.test.com

19:39:19 root@localhost certs]#curl www.test.com -Lk
/data/testcom/index.html

-L跟踪重定向,默认只显示301页面,不继续往后跳转,k忽略证书检查

  3、curl 浏览器访问www.test.org

curl www.test.org -Lk
/data/testorg/index.html

 

nginx -实现同一主机IP地址多个加密主机头

原文:https://www.cnblogs.com/alexlv/p/14850921.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!