从http切换到https
前言:
一、https协议须要到ca申请证书,通常免费证书不多,须要交费。html
二、http是超文本传输协议,信息是明文传输,https 则是具备安全性的ssl加密传输协议。java
三、http和https使用的是彻底不一样的链接方式,用的端口也不同,前者是80,后者是443。nginx
四、http的链接很简单,是无状态的;HTTPS协议是由SSL+HTTP协议构建的可进行加密传输、身份认证的网络协议,比http协议安全。web
目前大部分网站都在往https上转,Chrome也将https做为浏览器的默认链接,若是网站没采用https的话,就会出现!的标识。浏览器
1、关于https证书:
目前主流的SSL证书主要分为DV SSL 、 OV SSL 、EV SSL。安全
一、DV SSL:网络
DV SSL证书是只验证网站域名全部权的简易型(Class 1级)SSL证书,可10分钟快速颁发,能起到加密传输的做用,但没法向用户证实网站的真实身份。session
目前市面上的免费证书都是这个类型的,只是提供了对数据的加密,可是对提供证书的我的和机构的身份不作验证。app
二、OV SSL:负载均衡
OV SSL,提供加密功能,对申请者作严格的身份审核验证,提供可信身份证实。和DV SSL的区别在于,OV SSL 提供了对我的或者机构的审核,能确认对方的身份,安全性更高。
因此这部分的证书申请是收费的~
三、EV SSL:
超安=EV=最安全、最严格 超安EV SSL证书遵循全球统一的严格身份验证标准,是目前业界安全级别最高的顶级 (Class 4级)SSL证书。
金融证券、银行、第三方支付、网上商城等,重点强调网站安全、企业可信形象的网站,涉及交易支付、客户隐私信息和帐号密码的传输。
这部分的验证要求最高,申请费用也是最贵的。
DV和OV证书最大的差异是:
1)、DV型证书不包含企业名称信息;而OV型证书包含企业名称信息。
2)、OV型证书会在证书的Subject中显示域名+单位名称等信息;DV型证书只会在证书的Subject中显示域名。
OV型和EV型证书的区别是:
都包含了企业名称等信息,但EV证书由于其采用了更加严格的认证标准,浏览器对EV证书更加“信任”,当浏览器访问到EV证书时,能够在地址栏显示出公司名称,并将地址栏变成绿色。
2、https证书申请:
1)、登陆阿里云官网,进入控制台,安全(云盾)栏目下打开证书服务,而后点击购买证书,此处我选择“免费型DV SSL”购买。
2)、成功后再证书服务首页补全当前证书信息便可
3)、在证书审核经过后,点击“下载”,在此页面阿里云有详细的FAQ配置说明,照此步骤操做便可
成功以后,阿里云域名解析处添加了一条TXT类型
3、Nginx配置SSL:
1)、首先确保机器上安装了openssl和openssl-devel
yum install openssl
yum install openssl-devel
2)、./configure --prefix=/dyyl/java/nginx --with-http_ssl_module
注意必定要确认nginx已经加载了OpenSSL模块再make,若出现“OpenSSL library is not used”请添加http_ssl_module路径
3)、配置强制使用https请求:
到此,在浏览器上手动输入https://XXX已经能够正常访问
可是若是不显示指定https访问,仍是会默认走80端口,咱们须要将nginx的80端口重定向到443
server {
listen 80;
server_name localhost;
if ($scheme = http ) {
return 301 https://$host$request_uri;
}
location / {
root html/finance-web;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
4、项目中http更改:
浏览器默认是不容许在 https 里面引用 http 资源的,会报出mixed content错误,有一种解决方案是将html页面加上
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">
意思是将该页面的http请求强制更改成https
最后贴一下个人nginx.conf配置:
http {
include mime.types;
default_type application/octet-stream;
#文件上传大小限制,20M
client_max_body_size 20m;
#access_log logs/access.log main;
sendfile on;
keepalive_timeout 65;
# 80 端口,将全部请求转发至ssl
server {
listen 80;
server_name localhost;
rewrite ^(.*)$ https://$host$1 permanent;
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# 主站负载均衡,如需横向扩展,添加一个server便可
upstream myServer {
ip_hash;
server 101.201.101.224:8080;
}
# HTTPS server start
# 金融前台请求转发
server {
listen 443;
server_name jr.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/jr/214202510950206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/jr/214202510950206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html/finance-web;
index index.html index.htm;
}
}
# 商城前台请求转发
server {
listen 443;
server_name shop.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/shop/214202510940206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/shop/214202510940206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
root html/client-shop;
index index.html index.htm;
}
}
# 主站请求转发
server {
listen 443;
server_name www.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/www/214202510960206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/www/214202510960206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host www.jucaibuy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://myServer;
}
}
# 用户系统请求转发
server {
listen 443;
server_name passport.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/passport/214202510930206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/passport/214202510930206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host passport.jucaibuy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://101.201.101.224:8100/;
}
}
# 商城后台项目请求转发
server {
listen 443;
server_name shopservice.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/shopservice/214202510890206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/shopservice/214202510890206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host shopservice.jucaibuy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://101.201.101.224:8110/;
}
}
# 金融后台项目请求转发
server {
listen 443;
server_name jrservice.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/jrservice/214202510870206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/jrservice/214202510870206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host jrservice.jucaibuy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://101.201.101.224:8120/;
}
}
# 后台项目请求转发
server {
listen 443;
server_name admin.xxx.com;
ssl on;
ssl_certificate /dyyl/java/nginx/conf/cert/admin/214202510920206.pem;
ssl_certificate_key /dyyl/java/nginx/conf/cert/admin/214202510920206.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host admin.jucaibuy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://101.201.101.224:8090/;
}
}
- 1. 关于全站http切换到https
- 2. 从HTTP到HTTPS
- 3. 从HTTP切换到HTTPS的完整指南
- 4. 从 HTTP 到 HTTPS 再到 HSTS
- 5. nginx从http跳转到https
- 6. 从http到https浅析(二)
- 7. 从http到https浅析(一)
- 8. http切换https后redirect跳转过滤
- 9. 快速配置和切换http和https
- 10. http切换至https相关配置
- 更多相关文章...
- • ionic 切换开关操作 - ionic 教程
- • ionic Toggle(切换开关) - ionic 教程
- • Git五分钟教程
- • Composer 安装与使用
-
每一个你不满意的现在,都有一个你没有努力的曾经。