Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to configure https on the cloud gang". In the daily operation, I believe that many people have doubts about how to configure https on the cloud gang. The editor consulted all kinds of materials and sorted out a simple and easy-to-use method of operation. I hope it will be helpful to answer the doubts of "how to configure https on the cloud gang". Next, please follow the editor to study!

Introduction of sequence-related components

This sharing mainly involves two modules: console module and openresty module.

Console module

That is, the ACP console module, which provides users with a visual Web interface, which can listen to port 443. For certificate requirements: domain name certificate.

Openresty module

That is, cloud load balancing module. All external services of Cloud help are configured on the load balancer and forwarded to the corresponding applications and services through the load balancer. In most cases, you can listen to port 443, if a single node listens to a non-occupied port. Certificate requirement: because there are many domain names involved, we choose the pan-domain name certificate here.

So let's talk about how to configure https in detail.

0x00 uses openssl self-signed certificate

Preparatory work:

Cd / etc/goodrain/nginx/ssl # is used to store the directory cd console.goodrain.me corresponding to the certificate mkdir console.goodrain.me # domain name

Generate certificate operation:

Openssl req-x509-nodes-days 365-newkey rsa:2048-keyout / etc/goodrain/nginx/ssl/console.goodrain.me/console.key-out / etc/goodrain/nginx/ssl/console.goodrain.me/console.crt

Special note: enter will be asked to fill in some information, which will be filled in according to the prompt. But the most important thing is to require Common Name to fill in carefully. You need to enter the domain name associated with your server or the public IP address of your server.

Demo is as follows:

Country Name (2 letter code) [XX]: CNState or Province Name (full name) []: BeiJingLocality Name (eg, city) [Default City]: BeiJingOrganization Name (eg, company) [Default Company Ltd]: Goodrain, Inc.Organizational Unit Name (eg, section) []: Cloud Common Name (eg, your name or your server's hostname) []: console.goodrain.meEmail Address []: info@goodrain.me

The domain name must write the domain name of the https you need.

0x01 Cloud help console supports https

Back up the console configuration file

Cp console ~ / # backup path is optional, but do not back up to the current directory

Edit the console file

# add the following configuration to the original configuration # ip is the same as the ip listening 8688 in the original configuration the same server {listen ip:443; server_name console.goodrain.me; ssl on; ssl_certificate / etc/nginx/ssl/console.goodrain.me/console.crt; ssl_certificate_key / etc/nginx/ssl/console.goodrain.me/console.key; location / {proxy_pass http://console; Proxy_set_header Host $host; proxy_redirect off; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 60; proxy_read_timeout 600; proxy_send_timeout 600;}}

In this configuration, both http and https are supported. If you want to force a jump to modify the server of monitoring 8688

Server {listen ip:8688; server_name console.goodrain.me; rewrite ^ (. *) $https://$server_name$1 permanent;}

Finish the revision. Restart the nginx service.

Dc-compose stop nginxccleardc-compose up-d

At this point, the https configuration of the console has been completed. Test:

[root@iZm5e7u02k402beob2081gZ] # curl-I console.goodrain.me/loginHTTP/1.1 301 Moved PermanentlyServer: openrestyDate: Thu, 30 Mar 2017 03:46:37 GMTContent-Type: text/htmlContent-Length: 185Connection: keep-aliveLocation: https://console.goodrain.me/login

If it is a browser access, because the certificate is self-signed, you need to add trust.

0x02 platform applications support https

Pan-domain name certificate configuration:

Openssl req-x509-nodes-days 365-newkey rsa:2048-keyout server.key-out server.crt

Upload the certificate to the openresty service:

Docker cp server.crt openresty:/usr/local/openresty/nginx/conf/docker cp server.key openresty:/usr/local/openresty/nginx/conf/

Configure the openresty of the compute node:

The cd / etc/goodrain/openresty/servers/httpcp default.conf default443.conf# editor default443.conf is modified as follows: listen 7443 * SSL on;ssl_certificate / usr/local/openresty/nginx/conf/server.crt;ssl_certificate_key / usr/local/openresty/nginx/conf/server.key; # others remain the same.

The listening here is 7443, because mine is deployed on a single node, and port 443 has been monitored by other services, so port 7443 is used. After configuring the above, restart openresty.

Dc-compose stop openrestyccleardc-compose up-d

At this point, the https of the application has been configured. Test: curl https://domain:7443 is OK, if the multi-node configuration is directly configured, it will be ok.

Note: Port 443 cannot be monitored when there is only one server. You need to use a non-occupied port such as 7443. The access domain name is https://domain:7443. If the compute node and the management node are not on the same server, you can listen to port 443. Https://domain

0x03 END

At this point, the cloud help https has been configured.

At this point, the study on "how to configure https on cloud help" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.