CDH配置HTTPS访问
申请一台新的机器部署nginx,生成https/ssl证书的机器没有要求
1.生成https/ssl证书
[root@cdp01 ~]# mkdir -p /data/cert [root@cdp01 ~]# cd /data/cert ##输入密码,密码可以随便输 [root@cdp01 cert]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus .............................................................+++ ..............................................................+++ e is 65537 (0x10001) Enter pass phrase for server.key:123456 Verifying - Enter pass phrase for server.key:123456 [root@cdp01 cert]# ls server.key [root@cdp01 cert]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:123456 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #这些信息可以随便填 State or Province Name (full name) []:ZJ Locality Name (eg, city) [Default City]:HZ Organization Name (eg, company) [Default Company Ltd]:YH Organizational Unit Name (eg, section) []:Q Common Name (eg, your name or your server's hostname) []:HT Email Address []:123456@qq.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #不用修改直接回车 An optional company name []:YC [root@cdp01 cert]# ls server.csr server.key [root@cdp01 cert]# cp server.key server.key.org [root@cdp01 cert]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key [root@cdp01 cert]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=CN/ST=ZJ/L=HZ/O=YH/OU=Q/CN=HT/emailAddress=123456@qq.com Getting Private key [root@cdp01 cert]# chmod a+x * [root@cdp01 cert]# ls server.crt server.csr server.key server.key.org
2.新机器安装nginx
yum install -y nginx systemctl start nginx
3.修改nginx配置文件
ssl_certificate /data/cert/server.crt;
ssl_certificate_key /data/cert/server.key;
这两个配置项是生成的https证书,需要放在nginx服务器对应的目录下
vim /etc/nginx/conf.d/http.conf
server {
listen 443 ssl;
ssl_certificate /data/cert/server.crt;
ssl_certificate_key /data/cert/server.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name _;
charset utf-8;
# max upload size
client_max_body_size 512M; # adjust to taste
client_body_buffer_size 128k;
proxy_connect_timeout 600;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_buffer_size 32k;
proxy_buffers 4 64k;
proxy_busy_buffers_size 128k;
proxy_temp_file_write_size 128k;
location / {
proxy_pass http://172.16.120.53:7180;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}4.重载配置文件
[root@cdp03 conf.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@cdp03 conf.d]# nginx -s reload
5.访问cdp
https://172.16.120.55/cmf/login
如果提示连接不是私密连接是正常的,因为https证书是自签的。客户介意的话,还是需要客户购买证书。
6.80端口强制跳转443
nginx的默认配置文件上监听了80端口,如果想80端口强制跳转443端口,可以修改/etc/nginx/nginx.conf 中的server区块
server {
listen 80;
server_name 172.16.120.55;
rewrite ^(.*)$ https://172.16.120.55:443 permanent;
}重启
nginx -t nginx -s reload
7.修改配置,重启cm
vim /opt/cloudera/cm/webapp/WEB-INF/spring/mvc-config.xml 注释掉下面这一行 <<!-- <bean class="com.cloudera.server.web.cmf.csrf.CsrfRefererInterceptor"/> --> 重启cm systemctl restart cloudera-scm-server
