HTTPS的知识

一、什么是https

s指的是ssl或者tls，https是将http的传输明文通过公钥加密成密文的协议.

二、https握手过程

1. tls第一次握手，客户端向服务器发送随机数和支持的TLS的版本
2. 服务器向客户端发送证书和服务器随机数
3. 客户端通过服务器证书得到服务器公钥，生成一个随机数，通过公钥加密随机数发送给服务器
4. 服务器通过私钥解密随机数
5. 之后服务器和客户端通过相同的三次随机数对称加密通话内容进行通信

三、https 安装过程

1. 准备域名

   将域名通过DNS解析指向对应服务器的公网IP

2. 服务器开放443,80端口
3. 申请证书
   1. 安装acme.sh

      //email表示当证书过期之后，会向你的邮箱发送消息通知
      curl https://get.acme.sh | sh -s email=my@example.com
      //安装完后，为了让 acme.sh 命令在当前终端立即生效，请手动刷新环境变量
      source ~/.bashrc

   2. 申请证书

      服务器目录准备
      cd /opt/myblog
      mkdir -p certs acme-challenge logs/nginx
      //certs放证书和私钥，acme-challenge存放CA证书申请时的token，是一个临时目录
      当向证书机构申请证书时，CA会先给你个token证明你是这个域名的主人，之后申请证书时验证这个token
      
      
      //申请证书
      ~/.acme.sh/acme.sh --issue --standalone -d www.linblog.xyz

   3. 拷贝安装证书

      ~/.acme.sh/acme.sh --install-cert -d www.linblog.xyz \
        --key-file /opt/myblog/certs/www.linblog.xyz.key \
        --fullchain-file /opt/myblog/certs/www.linblog.xyz.fullchain.cer \
        --reloadcmd "cd /opt/myblog && docker compose -f docker-compose.prod.yml exec -T nginx nginx -s reload"

4. 修改NGINX配置

   监听443 设置证书和私钥位置，将80接口的请求重定向到443
   server {
       listen 80;
       server_name www.linblog.xyz;
   
       location = /health {
           access_log off;
           add_header Content-Type text/plain;
           return 200 "ok\n";
       }
   
       location ^~ /.well-known/acme-challenge/ {
           root /var/www/acme-challenge;
       }
   
       location / {
           return 301 https://$host$request_uri;
       }
   }
   
   server {
       listen 443 ssl;
       server_name www.linblog.xyz;
   
       ssl_certificate /etc/nginx/certs/www.linblog.xyz.fullchain.cer;
       ssl_certificate_key /etc/nginx/certs/www.linblog.xyz.key;
   
       client_max_body_size 10m;
   
       gzip on;
       gzip_vary on;
       gzip_min_length 1024;
       gzip_types text/plain text/css application/json application/javascript text/xml application/xml image/svg+xml;
   
       location = /health {
           access_log off;
           add_header Content-Type text/plain;
           return 200 "ok\n";
       }
   
       location = /api/zhifuxpay/notify {
           proxy_pass http://api:4000/api/zhifuxpay/notify;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   
       location /api/ {
           proxy_pass http://api:4000/;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
       }
   
       location /_next/static/ {
           proxy_pass http://web:3000;
           proxy_http_version 1.1;
           proxy_set_header Host $host;
           expires 1y;
           add_header Cache-Control "public, immutable";
       }
   
       location / {
           proxy_pass http://web:3000;
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";
           proxy_set_header Host $host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_cache_bypass $http_upgrade;
       }
   }

5. 启动项目检查