一、nginx根目录下创建 cert 目录,用于存放https证书
创建目录:mkdir cert
进入cert目录:cd cert
二、openssl生成https证书证书
下载openssl,并安装、配置环境变量
https证书生成
1、生成key:(生成rsa私钥,des3算法,openssl格式,2048位强度)
openssl genrsa -des3 -out server_192.168.1.1.key 2048
2、通过以下方法生成没有密码的key:(是否可以省略这步待验证)
openssl rsa -in server_192.168.1.1.key -out server_192.168.1.1.key
3、生成CA的crt:(用来签署下面的server.csr文件)
openssl req -new -x509 -key server_192.168.1.1.key -out ca.crt -days 3650
4、生成csr:
openssl req -new -key server_192.168.1.1.key -out server.csr
5、生成crt:
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server_192.168.1.1.key -CAcreateserial -out server_192.168.1.1.crt
三、nginx配置https
该配置http和https共存
server {
listen 443 default_server; #配置 default_server,多server时默认进入的端口
server_name 192.168.1.1; #真实IP
error_page 497 https://$server_name:443$request_uri; #正常错误反馈转换到https
ssl on;
ssl_certificate ./cert/server_192.168.1.1.crt;
ssl_certificate_key ./cert/server_192.168.1.1.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
#ssl_session_timeout 30m;#默认时间只有5分钟,如果5分钟就挂掉未免太短了
设置nginx日志按端口+天生成日志文件
#charset koi8-r;
if ($time_iso8601 ~ "^(\d{4})-(\d{2})-(\d{2})") {
set $year $1;
set $month $2;
set $day $3;
}
access_log /data/logs/nginx/443.nginx.access-$year-$month-$day.log main;
location /test1 {
proxy_redirect http:// $scheme://; #需配置,做https跳转
#proxy_redirect http:// https://;
proxy_pass http://127.0.0.1:80/test1 ;
}
location /test2 {
client_max_body_size 10m;
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_redirect http:// $scheme://; #做https跳转
#proxy_redirect http:// https://;
proxy_pass http://127.0.0.1:18081/test2;
#proxy_redirect default;
}
}
参考文档:
https://blog.51cto.com/u_481814/1835713
https://www.cnblogs.com/caidingyu/p/11904277.html
精彩文章
您阅读本篇文章共花了:
发表评论