公私钥和证书都可以自己生成,也可以让CA机构来生成。自己生成的证书是不受浏览器信任的,浏览器会弹出警告。
如果要让CA机构来生成证书,需要提交网站的域名,公司的信息。以及你网站的公钥等信息,如果你是自己生成的公私钥的话。
也有一些免费的CA证书,比如沃通就提供免费的CA证书,只需要提交域名以及认证域名。
CA机构会给你一个签名文件,把这个签名文件和私钥文件放在网站的配置文件夹下,后面会用到。
将域名解析到对应的主机IP。
2 使用yum安装好PHP,Nginx,apache,以及Apache的ssl模块
yum install PHP
yum install Nginx
yum install apache
yum install mod_ssl
3 apache下的配置
加载ssl模块:LoadModule ssl_module modules/mod_ssl.so
修改/etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/Nginx/ssl/certification.crt //签名的证书文件
SSLCertificateKeyFile /etc/Nginx/ssl/pri.key //私钥文件
保存 重启Apache,通过https访问网站,如果一个网站同时提供http和https,当你访问http时会自动跳转到相应的http页面
4 Nginx下的配置
修改/etc/Nginx/conf.d/ssl.conf,如果没有则新建
server {
listen 443 ssl;
server_name _;
server_name yourdomain.com;
# tell users to go to SSL version next time
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains;";
# tell the browser dont allow hosting in a frame
add_header X-Frame-Options DENY;
# tell the browser we can only talk to self and google analytics.
add_header X-Content-Security-Policy "default-src 'self'; \
script-src 'self' https://ssl.google-analytics.com; \
img-src 'self' https://ssl.google-analytics.com";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen and ordered for mix of performance,interoperability and security
#ssl_ciphers AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH;
# ciphers chosen for security (drop RC4:HIGH if you are not worried about BEAST).
#ssl_ciphers RC4:HIGH:HIGH:!aNULL:!MD5;
# ciphers chosen for FIPS compliance.
#ssl_ciphers !aNULL:!eNULL:FIPS@STRENGTH;
# ciphers chosen for forward secrecy an compatibility
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
location ~ \.PHP/?.*$ {
#fastcgi_pass unix:/var/run/PHP-fpm/PHP-fpm.sock;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.PHP;
fastcgi_max_temp_file_size 0;
fastcgi_buffer_size 4K;
fastcgi_buffers 64 4k;
fastcgi_split_path_info ^(.+\.PHP)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
#fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param SCRIPT_NAME $fastcgi_script_name;
include fastcgi_params;
}
ssl_prefer_server_ciphers on;
ssl_certificate_key /etc/Nginx/ssl/pri.key;
ssl_certificate /etc/Nginx/ssl/certification.crt;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# enable ocsp stapling
#resolver 8.8.8.8;
ssl_stapling on;
#ssl_trusted_certificate certs.d/example.cer;
# let Nginx handle the static resources
location ~ ^/(htm/|html/|images/|img/|javascript/|js/|css/|stylesheets/|flash/|media/|static/|robots.txt|humans.txt|favicon.ico) {
root /usr/share/Nginx/html;
access_log off;
expires @30m;
}
}
重启Nginx,用https访问,Nginx里http的配置和https的配置是相互独立的,比如对PHP的解析,要在80和443端口的server块里都要配置,如果不配置则访问PHP时会直接显示
PHP源码或者弹出下载。
其实https的配置简单来说就两步:1 生成公私钥,证书文件。 2 使web服务器支持https,配置证书和私钥文件的路径
把一个http站点转化为https更难的地方在于怎么解决转化后所带来的问题,比如在https站点引用了http的资源浏览器默认不会加载这些http的资源,因为浏览器认为这是不安全的。
原文链接:https://www.f2er.com/centos/380881.html