https = ssl + http
https协议要比http协议更加安全, https协议中涉及到SSL加密, 非对称加密,对称加密, CA证书, 安全套件等概念;
以三个问题来了解https协议的原理及应用场景:
- 为什么用了 HTTPS 就是安全的?
- HTTPS 的底层原理如何实现?
- 用了 HTTPS 就一定安全吗?
问题一: 为什么用了https就是安全的?
问题二: https的底层原理如何实现的?
答: 之所以说是安全的是因为https协议会对传输的数据进行加密, 而加密的过程采用对称加密和非对称加密; 通常都说采用的是非对称加密, 其实在验证证书的时候https采用非对称加密, 而在数据传输的时候采用的是对称加密;
image.png
证书验证阶段:
- 浏览器发起 HTTPS 请求
- 服务端返回 HTTPS 证书
- 客户端验证证书是否合法,如果不合法则提示告警
数据传输阶段:
- 当证书验证合法后,在本地生成随机数
- 通过公钥加密随机数,并把加密后的随机数传输到服务端
- 服务端通过私钥对随机数进行解密
- 服务端通过客户端传入的随机数构造对称加密算法,对返回结果内容进行加密后传输
问题三: 用了https就一定安全么?
image.png
这时候需要CA权威机构认证证书; 中间人就不能够在两端之间架设伪装服务器了;
使用nginx构建https服务
mdkir /usr/local/nginx/ssl
cd /usr/local/nginx/ssl
Use root User Manager:
$ yum -y install openssl openssl-devel
##自签发TLS证书
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout ca.key \
-x509 -days 365 -out ca.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:qianfeng
Organizational Unit Name (eg, section) []:cloud
Common Name (eg, your name or your server's hostname) []:www.qfcc.com
Email Address []:bavduer@163.com
$ openssl req \
-newkey rsa:4096 -nodes -sha256 -keyout qfcc.com.key \
-out qfcc.com.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:qianfeng
Organizational Unit Name (eg, section) []:cloud
Common Name (eg, your name or your server's hostname) []:www.qfcc.com
Email Address []:bavduer@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
$ openssl x509 -req -days 365 -in qfcc.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out qfcc.com.crt
使用rewrite实现https跳转
$ sudo vim /etc/nginx/conf.d/jump.conf
server {
listen 80;
server_name www.qfcc.com;
location = / {
rewrite ^(.*) https://www.qfcc.com/$1 permanent;
}
location / {
rewrite ^(.*) https://www.qfcc.com/$1 permanent;
}
}
$ sudo vim /etc/nginx/conf.d/qfcc.conf
server {
listen 443 ssl;
server_name www.qfcc.com;
ssl_certificate /usr/local/nginx/ssl/qfcc.com.crt;
ssl_certificate_key /usr/local/nginx/ssl/qfcc.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root /usr/local/nginx/html;
index index.php index.html index.htm;
}
location ~ \.php$ {
root /usr/share/nginx/html;
fastcgi_pass 192.168.13.22:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
调优:
nginx worker进程对CPU的亲和度
#将CPU平均分配到某个具体的核心上(机器CPU核心数为4)
worker_process 4;
worker_cpu_affinity 0001 0010 0100 1000;
#将CPU平均分配到某个具体的核心上(机器CPU核心数为8)
worker_process auto;
worker_cpu_affinity auto;
提高worker进程的优先级
#提升worker进程的优先级
worker_priority -20;
linux主机TCP优化(sysctl.conf)
# /etc/sysctl.conf -> sysctl -p
#syn的重试次数
net.ipv4.tcp_syn_retries=6
#建立连接应用层的超时时间,默认60s(在nginx反向代理中设置)
proxy_connect_timeout time;
# SYN_RCVD状态连接的最大个数(syn队列未完成握手数)
net.ipv4.tcp_max_syn_backlog=262144
#被动建立连接时,发送syn/ack的重试次数
net.ipv4.tcp_synack_retries=5
#当syn队列满了,启动cookies返回syn/ack中的序列号根据客户端携带的cookies重新恢复连接,会导致部分tcp功能受限
net.ipv4.tcp_syncookies=1
#接收来自网卡、但未被内核协议处理的报文队列长度
net.core.netdev_max_backlog=262144
#/etc/security/limits.conf限制用户的句柄数,普通用户默认1024
root soft nofile 65535
root hard nofile 65535
[root@nginx ~]# exit
登出
Connection to 192.168.123.11 closed.
liuchao@liuchaodeMacBook-Pro ~> ssh root@192.168.123.11
root@192.168.123.11's password:
Last login: Fri Dec 6 12:08:20 2019 from 192.168.123.1
[root@nginx ~]# ulimit -n
65535
减少磁盘IO
#绕开缓存直接IO
location / {
directio 10m;
directio_alignment 512;
}
image.png
网友评论