nginx(ssl)代理apache(ssl)
nginx和apache是在同一臺機子上
nginx配置:
server {
listen 80;
server_name name.com;
rewrite ^(.*)$ https://name.com$1 permanent;
}(強制name.com跳轉到https://name.com)
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
server {
listen 443 ssl;
server_name name.com;
ssl on;
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
ssl_certificate /name.crt;
ssl_certificate_key /name.key;
ssl_client_certificate /ca.crt;
keepalive_timeout 60;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://127.0.0.1:445;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
apache配置:
Listen 445
NameVirtualHost *:445
<VirtualHost *:445>
DocumentRoot "/data"
ServerName name.com:445
ServerAlias www.name.com:445 ip:445 127.0.0.1:445
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5
SSLCertificateFile "/name.crt"
SSLCertificateKeyFile "/name.key"
SSLCertificateChainFile "/ca.crt"
<Directory "/test">
SetEnvIfNoCase Referer "www.name.com/code.php\?user&q=code" getout
Order allow,deny
Allow from env=getout
</Directory>
CustomLog "|/usr/sbin/cronolog www.name.com-access.%m%d" combined2
</VirtualHost>
在切換http到https注意的事項:
1、引用的圖片、js、css等沒有使用http這樣的url鏈接
2、如果使用了第三方的接口,接口之間用http鏈接交互,需要接口方也需要支持https(或者對接口不做https處理)
3、如果是手機瀏覽器有問題可能是證書鏈有問題