1 环境介绍
| 操作系统 | IP地址 | 主机名 | NGINX版本 | 角色 |
|---|---|---|---|---|
| Rocky9.6 | 192.168.8.4 | loadbalance.luovip.cn | 1.26.2 | 负载均衡 |
2 Web安全背景
互联网安全的重要性日益增加,保护用户数据和确保网站的安全性已经成为所有网站所有者的首要任务。HTTPS 协议通过在 HTTP 上添加一层 SSL/TLS 加密,确保客户端和服务器之间的数据传输是安全的,不会被窃取或篡改。同时,通过 IP 访问控制可以限制哪些 IP 地址可以访问特定资源,从而提供额外的安全层,防止未授权的访问。
本篇博客将探讨如何使用 NGINX 配置 IP 访问控制和 HTTPS 安全,为网站提供全面的保护。无论是网站管理员还是开发人员,这些步骤将增强网站的安全性,保护用户数据,并提升用户对网站的信任度。
3 基于IP地址的访问控制
3.1 IP访问控制概述
基于IP地址的访问控制是一种有效的网络安全措施,通过允许或阻止特定IP地址访问网站资源来提高安全性。使用白名单可以确保只有预先授权的IP地址才能访问,而使用黑名单可以阻止不受信任的IP地址访问,在 NGINX 中,如果 allow 和 deny 指令存在冲突,NGINX 将按照指令的顺序进行处理。这意味着 NGINX 会逐行评估 allow 和 deny 指令,以最先匹配的指令为准。具体来说,如果某个 IP 地址既被 allow 又被 deny,则以最先出现的指令为准。
3.2 基于IP地址的访问控制配置
配置后,172.16.0.0/24 网段将被允许访问,而 192.168.8.0/24 网段将被拒绝访问
cat > /etc/nginx/conf.d/access.conf <<EOF
server {
listen 80;
server_name loadbalance.luovip.cn;
location / {
# 允许 172.16.0.0/24 网段访问
allow 172.16.0.0/24;
# 拒绝 192.168.8.0/24 网段访问
deny 192.168.8.0/24;
# 默认行为
deny all; # 阻止其他所有 IP 地址
root /usr/share/nginx/html;
index index.html index.htm;
}
}
EOF
# 重载NGINX
[root@loadbalance conf.d]# nginx -s reload3.3 测试访问控制效果
由于loadbalance本身就是在被拒绝的访问网段,访问将会返回403
[root@loadbalance ~]# curl http://loadbalance.luovip.cn
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.26.2</center>
</body>
</html>4 提供HTTPS 安全
4.1 生成自签名证书
给网站提供https安全验证需要有证书和私钥文件,这里采用自签名证书,因为这种自签名证书更适合测试,不需要购买域名,也不需要联网,可以离线生成和使用
4.1.1 生成根证书颁发机构(CA)
[root@loadbalance ~]# openssl genrsa -out /etc/pki/tls/private/selfsignroot.key 4096
[root@loadbalance ~]# openssl req -x509 -new -nodes -sha512 -days 3650 -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=Root" -key /etc/pki/tls/private/selfsignroot.key -out /etc/pki/ca-trust/source/anchors/selfsignroot.crt
[root@loadbalance ~]# openssl x509 -in /etc/pki/ca-trust/source/anchors/selfsignroot.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:2d:45:cc:e2:cb:17:29:4c:d5:a3:db:7d:79:35:5e:e5:48:8b:7a
Signature Algorithm: sha512WithRSAEncryption
Issuer: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=Root
Validity
Not Before: Oct 12 05:01:26 2025 GMT
Not After : Oct 10 05:01:26 2035 GMT
Subject: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=Root
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:de:a1:a7:23:6e:c9:d4:1a:ff:5e:e9:91:85:37:
7f:7b:7f:d8:75:90:a6:69:db:e3:bd:4f:51:ec:57:
48:e3:8c:9d:94:c5:9b:81:d5:fd:df:73:6f:e1:a3:
bd:e5:46:28:55:7f:e9:ef:46:c8:ab:0f:8e:4f:91:
26:35:a8:03:3d:12:07:b5:d5:8f:57:e2:a9:b8:2e:
79:d4:3b:26:1e:54:26:65:0d:09:17:56:33:88:16:
1b:c4:d3:e1:d3:50:85:06:ae:0f:0b:80:e4:72:2f:
93:6f:89:95:62:0d:49:d2:d7:0c:97:52:2a:be:63:
87:48:be:db:d7:b3:9f:82:3b:ff:3b:b5:a2:f9:32:
9f:6d:85:f4:b4:a1:d3:ba:11:40:84:b4:91:54:43:
67:78:15:04:19:ce:b7:72:bd:ce:57:d7:9c:4e:53:
ff:f8:8b:44:13:ad:ba:ce:d1:cb:72:85:e4:34:bc:
c5:e3:71:4b:f0:9e:65:2b:87:70:5a:f2:15:16:55:
31:89:77:fa:5c:cd:50:98:e4:41:28:b6:d4:b2:c6:
12:af:80:5d:ec:88:d9:c0:01:ed:54:e3:3e:b3:39:
a0:78:d2:4f:d4:72:aa:72:a1:b3:d7:6d:2a:4b:cb:
2c:eb:0a:48:db:63:b0:56:b3:22:99:82:73:e4:ff:
7d:c9:fb:30:2e:27:90:e0:d9:5e:39:ce:91:99:64:
d1:4e:d8:dd:65:f1:94:15:1b:69:8f:77:48:9f:64:
ee:e1:2e:95:15:19:d6:86:69:02:e4:30:02:af:94:
e9:5d:a9:2c:f1:4d:0d:1e:8f:7b:4a:1a:e1:40:02:
a4:b6:2d:74:e7:78:57:06:8a:cd:80:f8:7a:46:65:
c2:b4:b9:dd:b9:26:68:51:69:ca:e2:1c:47:03:a9:
a2:47:9d:73:9d:46:b4:b0:ba:39:51:90:db:fa:d0:
2a:18:1f:db:48:df:2d:1f:a6:7a:02:84:76:7d:d3:
fe:79:2c:43:d1:53:bc:08:da:cc:47:e1:b9:89:04:
5a:bd:84:ee:95:72:8e:b5:df:d5:2b:fe:16:96:34:
3f:49:0e:e3:62:46:13:75:73:2d:9e:d1:b0:39:d7:
17:07:0c:a2:99:6c:31:97:bf:fd:e2:b6:53:82:c0:
66:1a:cb:ce:de:79:d7:4e:08:ac:4b:9d:80:58:0d:
22:1a:af:e7:cf:89:fb:26:f8:79:14:7d:38:a3:a4:
6e:1c:43:fd:65:f9:56:88:c3:ee:bf:18:4e:49:9a:
e0:9c:fb:3f:7a:98:c1:d3:8e:4e:71:31:37:e3:a0:
33:75:f9:ed:b1:d5:ec:1d:27:16:16:89:7e:cb:95:
6e:31:cb
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
13:0D:90:EB:E5:F4:43:7C:68:57:16:6E:57:E0:3B:78:BC:A7:77:5B
X509v3 Authority Key Identifier:
13:0D:90:EB:E5:F4:43:7C:68:57:16:6E:57:E0:3B:78:BC:A7:77:5B
X509v3 Basic Constraints: critical
CA:TRUE
Signature Algorithm: sha512WithRSAEncryption
Signature Value:
c9:91:fd:a5:4a:ef:07:e3:d0:ee:1f:c5:fb:96:46:f0:76:8c:
51:a3:4d:a5:ce:a8:2c:c6:1f:d5:c8:eb:fd:34:35:41:cf:d6:
e0:f7:cd:5d:06:76:91:af:c8:4a:05:8a:6b:10:6c:e0:37:ed:
c1:35:c5:fb:7f:98:26:35:a7:67:c4:d5:31:d9:d6:5e:b7:5f:
a1:f2:3e:01:0e:b4:4f:2e:a2:14:c8:36:4a:18:81:59:b4:ae:
dc:67:1c:bb:09:3a:41:b9:9d:62:53:80:d9:82:cc:7c:82:87:
ed:07:54:9f:a3:42:cd:7d:b9:0b:15:78:2b:b7:63:cc:8f:8e:
96:be:d1:ce:1c:a7:65:a0:26:ab:a0:ef:ab:1b:4f:07:00:4e:
71:08:8b:8f:12:f5:6f:c5:c3:c3:c6:f4:06:99:8d:e3:b7:ba:
23:1d:34:37:6b:05:e1:18:59:7a:25:25:fa:4f:46:1d:ab:7c:
91:35:cf:92:14:9a:3d:d2:f1:75:67:8d:ac:f6:7c:64:45:2b:
84:b2:42:e9:78:fc:0a:60:66:21:e4:89:0a:e3:5c:47:49:1e:
4a:26:a9:8e:4c:ba:09:bb:36:44:63:77:d5:b5:23:c2:2f:0c:
cd:25:1f:2f:8a:67:ac:17:06:b3:57:24:cd:d6:79:9d:2f:42:
f4:7e:54:96:83:18:34:f2:20:d4:53:89:99:08:ec:b7:1e:45:
79:cb:3d:56:92:af:7c:a4:3b:96:21:21:37:5f:3b:39:75:74:
c3:e8:3c:a0:6a:2e:93:d2:49:d6:29:bd:2c:be:cb:17:70:87:
59:28:f1:9e:15:cf:46:5a:bf:4c:08:80:c1:1b:07:0a:99:03:
de:2f:f1:2d:55:42:aa:85:ac:e7:32:8d:f4:ee:79:cb:09:74:
45:6b:9c:8b:77:4c:ac:76:75:74:4c:0a:31:8e:24:c9:dd:c6:
be:61:4a:07:c8:38:df:d4:2a:83:7e:82:6e:d1:f0:f1:41:58:
3d:78:6c:36:ca:89:23:07:a3:05:db:a8:ac:7f:7d:38:33:eb:
5a:63:e1:bd:4a:f4:b6:b7:a7:a1:65:b8:a4:0c:64:11:d9:f2:
03:16:33:65:cb:ee:32:fe:7d:f7:43:08:1d:e8:da:dc:a6:a5:
af:23:2d:dc:89:4a:d7:71:ef:4c:18:0d:a9:cf:3e:17:82:5a:
22:ff:75:9f:8c:77:4a:90:f2:b3:2f:23:09:39:90:cc:5c:0f:
f1:90:1f:7f:4a:14:0d:da:57:6c:76:94:d2:ed:72:e0:b6:11:
00:14:6b:c0:2e:44:3c:d6:37:24:8d:b0:b2:4b:ba:f6:47:90:
14:b4:ff:4f:72:4a:ba:10
[root@loadbalance ~]# update-ca-trust extract4.1.2 签发服务器证书
1.生成服务器私钥文件
[root@loadbalance ~]# openssl genrsa -out /etc/pki/tls/private/nginx.key 4096 2.生成证书请求文件
给loadbalance.luovip.cn域名申请一个证书
[root@loadbalance ~]# openssl req -sha512 -new -subj "/C=CN/ST=SiChuan/L=Chengdu/O=Company/OU=CD/CN=loadbalance.luovip.cn" -key /etc/pki/tls/private/nginx.key -out nginx.csr除了这种简单的申请之外,还可以生成扩展文件,以支持更多的证书属性,最常用的是给多个域名或IP同时验证合法身份,也就是给证书添加备用名称
DNS.1 = web1.luovip.cn:指定第一个 DNS 名称为 web1.luovip.cn。
DNS.2 = web2.luovip.cn:指定第二个 DNS 名称为 web2.luovip.cn。
IP.1 = 192.168.8.5:指定第一个 IP 地址为 192.168.8.5。
IP.2 = 192.168.8.6:指定第二个 IP 地址为 192.168.8.6。
cat > certs.cnf << EOF
[req]
req_extensions = v3_req
distinguished_name = req_distinguished_name
[req_distinguished_name]
[v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = web1.luovip.cn
DNS.2 = web2.luovip.cn
IP.1 = 192.168.8.5
IP.2 = 192.168.8.6
EOF 3.最终签发证书
[root@loadbalance ~]# openssl x509 -req -in nginx.csr \
-CA /etc/pki/ca-trust/source/anchors/selfsignroot.crt \
-CAkey /etc/pki/tls/private/selfsignroot.key -CAcreateserial \
-out /etc/pki/tls/certs/nginx.crt \
-days 3650 -extensions v3_req -extfile certs.cnf
Certificate request self-signature ok
subject=C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=loadbalance.luovip.cn检查一下,证书是否包括多个域名和IP,没有问题的话,这个证书可同时给多个域名和IP验证:
[root@loadbalance ~]# openssl x509 -in /etc/pki/tls/certs/nginx.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
57:25:dd:0b:90:d9:f7:c6:33:1a:e9:0b:a4:0f:77:05:a6:a1:23:a5
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=Root
Validity
Not Before: Oct 12 05:10:24 2025 GMT
Not After : Oct 10 05:10:24 2035 GMT
Subject: C=CN, ST=SiChuan, L=Chengdu, O=Company, OU=CD, CN=loadbalance.luovip.cn
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:ad:18:4b:64:38:15:b9:6b:b1:23:ba:53:46:d1:
3c:e8:ed:a6:0c:94:18:ef:0e:75:cb:c3:59:eb:08:
98:f9:ae:75:fc:c3:5f:8a:5b:8b:46:83:ed:61:1d:
66:6d:a7:c6:34:f1:e7:b9:cf:1e:da:f5:f0:8f:e2:
62:6f:5e:bc:1c:c1:5d:aa:3a:ec:91:77:b0:21:f6:
42:22:ea:1b:4e:7a:ac:44:b7:f0:29:aa:55:85:f6:
f9:b6:50:1c:8e:7d:0b:f6:a1:2f:a7:45:fe:03:82:
e6:7b:f1:35:4c:b5:52:4a:8a:d2:e9:cf:54:7a:74:
cc:5d:4d:1d:da:2b:86:e3:dc:bc:4d:19:f6:0d:d9:
e4:24:02:a7:4f:e7:bf:a3:6f:a2:4d:bd:2f:c9:ba:
64:38:cd:d0:52:13:d2:1f:b8:64:af:14:c8:41:6a:
23:97:2c:08:0f:bb:03:09:bc:bc:03:06:30:eb:1d:
4c:0c:4a:43:12:ed:8e:23:b4:06:df:98:73:c0:ce:
14:f6:61:41:f3:61:31:ab:9e:79:c0:a8:29:32:c1:
a0:66:91:04:3b:3d:2c:00:0a:47:76:9d:75:a2:ef:
fe:31:eb:0d:5b:78:1d:96:21:23:7a:f5:6f:37:27:
53:85:e4:a1:52:57:b4:ee:2e:f1:ba:6a:d6:cc:a5:
d3:b4:23:8e:c6:4e:54:eb:46:c4:1e:9c:8f:1a:0d:
54:c1:1e:27:bb:6c:bf:24:06:4d:24:e2:ba:86:2d:
81:3d:bd:c4:bb:5e:32:73:14:38:71:a8:6f:98:b6:
79:7e:d2:d1:75:cb:79:a0:96:a9:ce:0e:d5:77:c8:
82:58:6e:ed:b5:18:38:a4:37:1d:98:c4:50:04:62:
4d:ec:f2:eb:c2:ff:14:d7:49:89:44:70:7b:fd:60:
47:22:47:07:04:1f:1b:a3:b0:4e:3e:b7:ff:70:73:
c4:8f:18:6a:33:fa:a1:a3:99:78:fd:cf:7f:3b:84:
8d:35:c1:0e:25:1a:6e:4a:2f:8a:bb:99:88:3d:c3:
00:d6:16:2d:6d:b0:31:3a:52:c9:3c:2d:92:07:7e:
93:7b:2c:4a:f3:11:88:9b:71:2e:d4:bd:3c:d8:7b:
48:04:c6:34:db:0b:19:7e:20:42:ec:49:5a:e2:cd:
6e:0c:f9:f0:a9:fa:83:7f:d6:39:6a:a0:3a:1a:04:
b9:09:65:e7:b6:d4:35:70:7c:5f:6e:1c:51:10:ee:
88:93:77:68:db:59:3e:71:73:e7:b3:f3:0a:44:0b:
52:ed:31:06:b2:85:a6:31:6c:f0:68:e6:b0:7e:15:
0e:ec:84:72:a5:0d:85:4e:dc:6f:73:75:9d:9c:f3:
e5:ac:05
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:web1.luovip.cn, DNS:web2.luovip.cn, IP Address:192.168.8.5, IP Address:192.168.8.6
X509v3 Subject Key Identifier:
D1:6E:C6:39:D6:3B:E5:FD:39:13:D2:13:CB:7F:7C:84:BB:5A:E3:23
X509v3 Authority Key Identifier:
13:0D:90:EB:E5:F4:43:7C:68:57:16:6E:57:E0:3B:78:BC:A7:77:5B
Signature Algorithm: sha256WithRSAEncryption
Signature Value:
72:47:5c:b1:3a:72:66:e5:eb:62:2f:eb:36:28:ce:26:7d:bb:
4d:35:85:c6:75:77:73:97:d9:1c:0d:96:a0:06:88:cd:6a:5f:
1c:19:39:f3:7b:61:a0:71:01:44:0d:d3:2d:ca:05:26:87:7c:
58:a9:10:67:63:25:83:21:05:56:9d:44:08:ef:1d:9f:ad:17:
98:c7:d0:e4:ac:bf:c2:b2:b7:02:92:4e:e6:46:bb:63:0c:ad:
e2:06:aa:ad:4b:87:f4:a1:f9:4d:1d:8d:e2:6d:1b:7e:23:bf:
a6:fe:38:96:23:ba:5a:e7:d6:d6:53:0f:01:5f:27:24:b7:f8:
8e:e9:af:b2:3b:6c:66:d7:59:39:9f:6f:b3:82:b0:3f:d2:e5:
fe:6a:1e:e4:3c:97:6d:dc:53:46:2c:8a:7f:cf:aa:d6:28:e6:
14:3c:ef:34:f0:bf:d5:a5:cb:83:5a:db:0e:1f:8c:55:b9:4f:
7f:29:1e:8e:9a:c9:6a:88:60:23:c1:1d:a1:02:d9:78:6c:ad:
ab:d0:71:ae:29:e2:06:bc:c7:e7:ca:bc:66:b4:17:55:29:60:
a6:6b:1a:85:a3:1b:12:02:49:3e:06:e2:e8:76:b1:19:c8:70:
94:12:3a:ed:9b:51:b3:88:e7:31:3a:c4:89:e4:b9:56:02:45:
7b:06:4b:9a:f2:3f:79:b8:5a:ba:22:9c:4e:c4:02:9b:46:83:
22:98:7f:1c:d8:49:80:bb:77:e2:98:31:87:da:17:79:4f:c7:
0a:8c:6d:9b:71:cb:16:e9:c6:ed:0c:a0:b2:d6:ff:88:bf:d0:
ee:a7:40:6a:17:2c:98:3f:58:f4:02:66:0a:c1:d2:ff:4f:b6:
c3:87:7c:44:22:dc:7d:7e:89:f6:7f:16:f7:fe:87:aa:69:87:
27:fe:b1:8c:af:6e:7a:72:23:09:50:f0:2f:c1:34:83:99:6d:
4f:12:c5:a6:97:3d:a1:e7:ba:0f:a4:f3:6a:96:84:6c:9d:41:
07:29:43:00:e0:52:b1:67:cd:30:78:b9:47:dc:81:46:db:37:
d1:81:68:c9:03:1c:92:9a:4a:bc:f9:88:7a:e9:f5:88:94:37:
6f:38:15:c1:a3:8b:5a:e8:8b:52:36:74:09:b9:bb:f8:5a:87:
89:2b:60:16:1b:f1:26:aa:8c:89:18:42:89:02:dd:ff:76:2d:
41:87:d8:d7:92:9b:b2:3e:3b:dc:70:93:a0:d6:cd:46:0a:de:
bb:b9:78:89:d2:a6:16:83:ac:94:05:65:38:39:55:f2:1c:82:
89:96:4a:d6:56:72:22:0e:bf:23:81:6c:f6:19:21:10:67:ad:
e7:a6:79:80:98:9e:65:004.2 NGINX SSL配置文件
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 80 default_server;
server_name loadbalance.luovip.cn;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
server_name loadbalance.luovip.cn;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
EOF
# 重载NGINX
[root@loadbalance ~]# nginx -s reload1.HTTP配置:
监听80端口(HTTP的默认端口)。
使用域名 loadbalance.xiaohui.cn。
配置的根目录为 /usr/share/nginx/html,即网页文件存放的地方。
默认文件为 index.html 和 index.htm。
2.HTTPS配置:
监听443端口(HTTPS的默认端口)。
使用SSL(安全套接层协议)。
SSL证书位于 /etc/pki/tls/certs/nginx.crt。
SSL证书密钥文件位于 /etc/pki/tls/private/nginx.key。
同样使用域名 loadbalance.xiaohui.cn。
服务的内容同样从 /usr/share/nginx/html 目录获取,默认文件为 index.html 和 index.htm。
无论用户使用HTTP或HTTPS,都可以通过 loadbalance.xiaohui.cn 访问到存放在 /usr/share/nginx/html 目录下的网页内容。
生成默认页面并测试两种方法都可以访问
[root@loadbalance conf.d]# echo luovip https test > /usr/share/nginx/html/index.html
[root@loadbalance ~]# systemctl restart nginx
# HTTP访问
[root@loadbalance ~]# curl http://loadbalance.luovip.cn
luovip https test
# HTTPS访问 如果遇到提示无法验证,那是因为这台机器没有信任CA,直接用-k跳过验证即可
[root@loadbalance ~]# curl https://loadbalance.luovip.cn
curl: (60) SSL: no alternative certificate subject name matches target host name 'loadbalance.luovip.cn'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
[root@loadbalance ~]# curl https://loadbalance.luovip.cn -k
luovip https test4.3 HTTP到HTTPS跳转
4.3.1 HTTP到HTTPS跳转的意义
1. 提高安全性:
HTTP是明文传输协议,数据在传输过程中容易被窃听和篡改。而HTTPS则通过SSL/TLS加密协议对数据进行加密,确保数据在传输过程中的安全性。通过将HTTP流量重定向到HTTPS,可以避免潜在的安全威胁。
2. 提升用户信任度:
现代浏览器通常会对使用HTTPS的网站显示一个安全锁标志,而对于未使用HTTPS的网站则可能显示“不安全”的警告。这可能会降低用户对网站的信任感。通过使用HTTPS,可以提升用户的信任度和网站的专业形象,测试用的是自签名证书,给客户端信任CA即可。
3. 改善SEO排名:
如果用的是公网可信证书的,搜索引擎(如Google)会优先考虑使用HTTPS的网站,提高它们的搜索排名。因此,通过将HTTP流量重定向到HTTPS,可以帮助网站在搜索结果中获得更好的排名,进而吸引更多的访问量。
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 80 default_server;
server_name loadbalance.luovip.cn;
return 301 https://loadbalance.xiaohui.cn$request_uri;
}
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
server_name loadbalance.luovip.cn;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
EOF
# 重载NGINX
[root@loadbalance ~]# nginx -s reload4.3.2 重启nginx服务后测试
当用明文的http协议访问的时候,系统自动告诉我们资源位置在https协议上
[root@loadbalance ~]# curl -I http://loadbalance.luovip.cn
HTTP/1.1 301 Moved Permanently
Server: nginx/1.26.2
Date: Sun, 12 Oct 2025 05:28:46 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://loadbalance.xiaohui.cn5 提供SSL卸载
全程提供https虽然可以提供安全,但是这会带来加解密的算力消耗,只需要确保互联网到nginx的安全,nginx到后端web服务器之间使用http即可,这就叫https卸载
5.1 什么是SSL卸载
当客户端发起HTTPS请求时,流量首先到达SSL卸载设备或应用程序,该设备负责处理SSL握手和数据加解密。处理完成后,解密后的数据以HTTP形式传递给后端服务器进行处理。返回的响应数据同样经过SSL卸载设备加密后再发送给客户端。
5.2 SSL卸载的优点
1.提高性能:
通过卸载SSL处理,后端服务器不再需要处理复杂的加密和解密操作,从而节省了大量的CPU和内存资源。这使得服务器可以更专注于处理实际的应用逻辑,提高整体性能。
2.简化管理:
SSL证书只需在SSL卸载设备上进行配置和管理,无需在每台后端服务器上逐一配置。这极大地简化了证书的管理和更新工作。
3.提升安全性:
SSL卸载设备通常具有更高的安全性,能够更好地抵御各种网络攻击。此外,将SSL处理集中在一个设备上,可以更轻松地进行监控和审计。
5.3 实现SSL卸载的常见方法
1.硬件设备:
使用专门的硬件设备,如硬件负载均衡器(如F5、Citrix ADC),这些设备通常内置有SSL加速卡,可以高效地处理大量SSL流量。
2.软件解决方案:
使用软件负载均衡器(如NGINX、HAProxy)来实现SSL卸载。配置相对灵活,且成本较低。以NGINX为例,可以通过配置文件来实现SSL卸载。
5.4 NGINX SSL卸载
1.准备hosts文件
这一步,需要在所有机器上完成准备,以便于大家都能用名称互相解析和访问
cat > /etc/hosts <<EOF
192.168.8.4 loadbalance.luovip.cn loadbalance
192.168.8.5 web1.luovip.cn web1
192.168.8.6 web2.luovip.cn web2
EOF2.写入配置
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 80 default_server;
server_name loadbalance.luovip;
return 301 https://loadbalance.luovip;
}
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
server_name loadbalance.luovip;
location / {
proxy_pass http://web1.luovip.cn;
}
}
EOF
# 重载NGINX
[root@loadbalance ~]# nginx -s reload1.HTTP服务器配置:
监听80端口(HTTP)。
使用 loadbalance.luovip 作为服务器名。
所有HTTP请求将被重定向到HTTPS URL(https://loadbalance.luovip)。
2.HTTPS服务器配置:
监听443端口(HTTPS)。
使用SSL证书和密钥文件,路径分别为 /etc/pki/tls/certs/nginx.crt 和 /etc/pki/tls/private/nginx.key。
使用 loadbalance.luovip 作为服务器名。
所有请求都将通过 proxy_pass 指令代理到 http://web1.luovip.cn。
3.测试效果
用https访问https://loadbalance.luovip.cn时,是加密的,收到请求后,以不加密的访问内网访问业务服务器,并返回内容
[root@loadbalance ~]# curl -k https://loadbalance.luovip.cn
Hello nginx,I'm Chiese6 HTTP严格传输安全
HTTP严格传输安全(HTTP Strict Transport Security,简称HSTS)
6.1 HSTS工作原理
当浏览器首次访问启用了HSTS的站点时,服务器会通过响应头部 Strict-Transport-Security 向浏览器发送HSTS策略。这条指令包含了HSTS的有效期、是否包含子域名等信息。浏览器接收到该指令后,在指定的有效期内,所有对该站点的访问都会强制使用HTTPS协议,即使用户手动输入http://,浏览器也会自动转换为https://。
6.2 HSTS的关键要素
1.max-age:指定HSTS策略的有效期,单位为秒。在此期间,浏览器会强制通过HTTPS访问该站点。例如,max-age=31536000 表示有效期为一年。
2.includeSubDomains:可选项,指示HSTS策略同样适用于该站点的所有子域名。
3.preload:可选项,指示浏览器将该站点预加载到HSTS列表中。这需要站点所有者主动提交站点到HSTS预加载列表。
6.3 HSTS的优点
1.防止中间人攻击:HSTS能有效防止HTTP降级攻击和Cookie劫持,确保所有数据传输都经过加密。
2.提升用户信任度:强制使用HTTPS协议,使用户确信其与站点的连接是安全的,提升信任度。
3.简化安全管理:一旦设置HSTS策略,浏览器将自动处理HTTPS重定向,简化了对网站安全性的管理。
6.4 NGINX实现HSTS
当有人访问我们的时候,我们会告诉浏览器,在接下来的一年中,包括本域名下的所有子域名都必须使用https协议
cat > /etc/nginx/conf.d/ssl.conf <<EOF
server {
listen 80 default_server;
server_name loadbalance.luovip;
return 301 https://loadbalance.luovip;
}
server {
listen 443 ssl;
ssl_certificate /etc/pki/tls/certs/nginx.crt;
ssl_certificate_key /etc/pki/tls/private/nginx.key;
server_name loadbalance.luovip;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
location / {
proxy_pass http://web1.luovip.cn;
}
}
EOF
# 重载并重启NGINX
[root@loadbalance ~]# nginx -s reload
[root@loadbalance ~]# systemctl restart nginx测试效果:
[root@loadbalance ~]# curl -I -k https://loadbalance.luovip.cn
HTTP/1.1 200 OK
Server: nginx/1.26.2
Date: Mon, 20 Jan 2025 08:58:28 GMT
Content-Type: text/html
Content-Length: 15
Connection: keep-alive
Last-Modified: Mon, 20 Jan 2025 08:51:06 GMT
ETag: "678e0e7a-f"
Accept-Ranges: bytes
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload