記錄一下nginx的https證書配置內容,可能並不通用,僅做參考:
一、以前系統配置功能:
server {
listen 443; #指定ssl監聽端口
server_name localhost; #服務器域名
ssl on;
root html;
index index.html index.htm;
ssl_certificate cert/cc.pem; #指定服務器證書路徑
ssl_certificate_key cert/cc.key; #指定私鑰證書路徑
ssl_session_cache shared:SSL:10m; #SSL會話緩存10MB
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
location = /f5check.html {
proxy_pass http://nginxs;
root html;
}
location /clientdata {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_pass http://nginxs;
}
location /eventlog {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_pass http://nginxs;
}
location /usinglog {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_pass http://nginxs;
}
location /errorlog {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_pass http://nginxs;
}
location /appinfo {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Cookie $http_cookie;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_pass http://nginxs;
}
location / {
root html;
index index.html index.htm;
}
}
需要注意的是,我這邊使用了非線上頒發的證書,弄了很久都沒有完成。後來使用了線上的證書之後,通過當前的配置就可以解決這個https訪問的問題。
需要修改的地方主要是證書的位置,其他的依據需求進行修改即可。
二、lnmp一鍵安裝的服務nginx中:
1、conf當中的nginx.conf配置文件:
user www www;
worker_processes auto;
worker_cpu_affinity auto;
error_log /home/wwwlogs/nginx_error.log crit;
pid /usr/local/nginx/logs/nginx.pid;
worker_rlimit_nofile 51200;
events
{
use epoll;
worker_connections 51200;
multi_accept off;
accept_mutex off;
}
http
{
include mime.types;
default_type application/octet-stream;
server_names_hash_bucket_size 128;
client_header_buffer_size 32k;
large_client_header_buffers 4 32k;
client_max_body_size 50m;
sendfile on;
sendfile_max_chunk 512k;
tcp_nopush on;
keepalive_timeout 60;
tcp_nodelay on;
fastcgi_connect_timeout 300;
fastcgi_send_timeout 300;
fastcgi_read_timeout 300;
fastcgi_buffer_size 64k;
fastcgi_buffers 4 64k;
fastcgi_busy_buffers_size 128k;
fastcgi_temp_file_write_size 256k;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types text/plain application/javascript application/x-javascript text/javascript text/css application/xml application/xml+rss;
gzip_vary on;
gzip_proxied expired no-cache no-store private auth;
gzip_disable "MSIE [1-6]\.";
server_tokens off;
access_log off;
include ../conf.d/*.bak;
#include ../conf.d/*.conf;
}
說明:*.bak表示我的採用的.bak後綴結尾的配置文件內容
2、conf.d當中的原來的server配置(http可訪問):
server
{
listen 80 default_server reuseport;
server_name _;
index index.html index.htm index.php;
root /home/wwwroot/default;
error_page 404 /404.html;
*include enable-php.conf;*
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/access.log;
}
2、conf.d當中的server 443和80的conf配置:
server {
listen 443 ssl;
server_name _;
ssl_certificate /usr/local/nginx/cert/xxx.pem;
ssl_certificate_key /usr/local/nginx/cert/xxx.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
root /home/wwwroot/default;
index index.html index.htm index.php;
error_page 404 /404.html;
***include enable-php.conf;***
location /nginx_status
{
stub_status on;
access_log off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/access-yarcl.log;
}
server {
listen 80;
server_name _;
rewrite ^(.*)$ https://$host$1 permanent;
location / {
return 301 https://ip:443$request_uri;
}
}
說明:
1、include enable-php.conf;配置代碼的位置比較重要,請一定按照原配置文件的位置進行放置。本人也是踩了這個坑了。
2、ssl_certificate*的配置請將https的證書放到對應的位置即可。
三、總結
說明:由於根目錄訪問一直都沒有問題,所以就不展示了。證書無效是因爲採用的ip訪問,用了域名訪問應該就沒有問題了,下次更新。
1、配置失敗的頁面訪問如下:
2、配置成功的頁面訪問如下: