编程技术记录

世界你好!

nginx 配置SSL证书

holdsky

支持SSL/TLS

在nginx的虚拟主机配置文件中添加

server {
    # http配置
    listen 80;
    listen [::]:80;
    server_name  test.abc.com;

    #######  SSL配置 #########
    listen 443 ssl;
    listen [::]:443 ssl;

    #解决The plain HTTP request was sent to HTTPS port 
    # https://www.centos.bz/2018/01/nginx%E5%A6%82%E4%BD%95%E8%A7%A3%E5%86%B3the-plain-http-request-was-sent-to-https-port%E9%94%99%E8%AF%AF/
    ssl off;

    #ssl 会话超时
    ssl_session_timeout  5m;

    #支持的SSL/TLS协议版本 ,如SSLv2 SSLv3 TLSv1;
    ssl_protocols  SSLv3 TLSv1;
    #支持的协商算法
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    # SSL证书位置
    ssl_certificate        /xxxx/xxxx/123.crt;
    ssl_certificate_key    /xxxx/xxxx/456.key;
   ################

   其他配置略
   .....

}

自动转发HTTP到HTTPS

原理是rerwite规则,重定向到https,所以需要创建两个虚拟主机,一个http,一个https

配置如下

server {
    listen 80;
    listen [::]:80;
    server_name test.abc.com;
    #转发到https://xxxx
    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    server_name  test.abc.com;

    #以下内容不变

    #######  SSL配置 #########
    listen 443 ssl;
    listen [::]:443 ssl;

    #解决The plain HTTP request was sent to HTTPS port 
    # https://www.centos.bz/2018/01/nginx%E5%A6%82%E4%BD%95%E8%A7%A3%E5%86%B3the-plain-http-request-was-sent-to-https-port%E9%94%99%E8%AF%AF/
    ssl off;

    #ssl 会话超时
    ssl_session_timeout  5m;

    #支持的SSL/TLS协议版本 ,如SSLv2 SSLv3 TLSv1;
    ssl_protocols  SSLv3 TLSv1;
    #支持的协商算法
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    # SSL证书位置
    ssl_certificate        /xxxx/xxxx/123.crt;
    ssl_certificate_key    /xxxx/xxxx/456.key;
   ################

   其他配置略
   .....

}

© Beli. All Rights Reserved.