Nginx配置SSL证书

码客说

发布于 2019-10-22 09:12:05

3.4K00

代码可运行

文章被收录于专栏：码客码客

运行总次数：0

代码可运行

前言

HTTPS是一种通过计算机网络进行安全通信的传输协议，经由HTTP进行通信，利用SSL/TLS建立全信道，加密数据包。HTTPS使用的主要目的是提供对网站服务器的身份认证，同时保护交换数据的隐私与完整性

Nginx配置

在/etc/nginx/cert目录放入证书文件

psvmc.pem
psvmc.key

Nginx的配置文件添加如下配置

listen 443;
ssl on;
ssl_certificate   /etc/nginx/cert/psvmc.pem;
ssl_certificate_key  /etc/nginx/cert/psvmc.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

配置完成后基本如下

upstream test_psvmc {   
      server 111.111.111.111:8090;   
}  

  
server {  
      listen 443; 
      server_name test.psvmc.com;
      client_max_body_size  200m;  
      ssl on;
      ssl_certificate   /etc/nginx/cert/psvmc.pem;
      ssl_certificate_key  /etc/nginx/cert/psvmc.key;
      ssl_session_timeout 5m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
location / {  
          proxy_pass https://test_psvmc/;  
          proxy_cookie_path / /;
          proxy_redirect  / /; 
          proxy_set_header Host $host;  
          proxy_set_header X-Real-IP $remote_addr;  
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
          client_max_body_size 200m;  
          client_body_buffer_size 128k;   
          proxy_connect_timeout 300s;
          proxy_send_timeout 300s;
          proxy_read_timeout 300s;   
          proxy_busy_buffers_size 64k;  
          proxy_temp_file_write_size 64k; 
          proxy_buffer_size 64k; 
          proxy_buffers 8 64k; 
          fastcgi_buffer_size 128k; 
          fastcgi_buffers 4 128k;
          send_timeout 60;   
  }
}

重启

service nginx restart

HTTP自动跳转HTTPS

在上面的配置中添加

server {
      listen 80;
      server_name test.psvmc.com;
      return 301 https://$host$uri?$args;
}

最终如下

upstream test_psvmc {   
      server 111.111.111.111:8090;   
}  

server {
      listen 80;
      server_name test.psvmc.com;
      return 301 https://$host$uri?$args;
}

server {  
      listen 443; 
      server_name test.psvmc.com;
      client_max_body_size  200m;  
      ssl on;
      ssl_certificate   /etc/nginx/cert/psvmc.pem;
      ssl_certificate_key  /etc/nginx/cert/psvmc.key;
      ssl_session_timeout 5m;
      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_prefer_server_ciphers on;
location / {  
          proxy_pass https://test_psvmc/;  
          proxy_cookie_path / /;
          proxy_redirect  / /; 
          proxy_set_header Host $host;  
          proxy_set_header X-Real-IP $remote_addr;  
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
          client_max_body_size 200m;  
          client_body_buffer_size 128k;   
          proxy_connect_timeout 300s;
          proxy_send_timeout 300s;
          proxy_read_timeout 300s;   
          proxy_busy_buffers_size 64k;  
          proxy_temp_file_write_size 64k; 
          proxy_buffer_size 64k; 
          proxy_buffers 8 64k; 
          fastcgi_buffer_size 128k; 
          fastcgi_buffers 4 128k;
          send_timeout 60;   
  }
}