Nginx 开启 ssl 以支持 HTTPS
[!IMPORTANT]
在下文中,将采用如下定义。
HTTP端口: 80
HTTPS端口: 443
服务地址: www.0ll1.com,也可以是 IP
1 生成本地证书
生成一个 RSA 私钥:
server.keyopenssl genrsa -out server.key 2048生成一个自签名的 X.509 证书:
server.crtopenssl req -new -x509 -days 8760 -key server.key -out server.crt -subj "/C=CN/O=Institute of Information Engineering, CAS/CN=www.0ll1.com"
2 开启 ssl 以支持 HTTPS
server {
listen 443 ssl;
server_name www.0ll1.com;
ssl_certificate /usr/local/nginx/cert/server.crt;
ssl_certificate_key /usr/local/nginx/cert/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
}
3 将 https 的请求转发给 http
server {
location / {
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_pass http://www.0ll1.com:80;
}
}
[!NOTE]
只需要将
proxy_pass修改为 http 服务的 url 即可。
最终的 nginx.conf 如下
server {
listen 443 ssl;
server_name www.0ll1.com;
ssl_certificate /usr/local/nginx/cert/server.crt;
ssl_certificate_key /usr/local/nginx/cert/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 60;
proxy_read_timeout 600;
proxy_send_timeout 600;
proxy_pass http://www.0ll1.com:80;
}
}