昨天老大讓我去配置ssl,證書申請下來了,開始配置,首先https用的是443端口,需要在防火牆中開啓443端口,然後在nginx.conf中配置,例如下:如果需要雙向認證,需要客戶端ca證書,否則就不配置ca的部分,例如:
server {
listen 443 ssl;
server_name localhost;
ssl on;
ssl_certificate /usr/local/nginx/sslKey/域名.cer;
ssl_certificate_key /usr/local/nginx/sslKey/域名.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
#root /mnt/omega/image ;
#index index.html index.htm;
proxy_pass http://localhost:8070;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3000s;
proxy_send_timeout 3000s;
proxy_read_timeout 3000s;
client_max_body_size 1000m;
}
}
如果開啓客戶端雙向認證:
server {
listen 443 ssl;
server_name 域名;
ssl on;
ssl_certificate /usr/local/nginx/sslKey/域名.cer;
ssl_certificate_key /usr/local/nginx/sslKey/域名.key;
ssl_client_certificate /usr/local/nginx/sslKey/ca.crt; #ca證書
ssl_session_timeout 5m;
ssl_verify_client on; #開戶客戶端證書驗證
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
#root /mnt/omega/image ;
#index index.html index.htm;
proxy_pass http://localhost:8070;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3000s;
proxy_send_timeout 3000s;
proxy_read_timeout 3000s;
client_max_body_size 1000m;
}
}
這樣就好了,然後./nginx/sbin/nginx -s stop 停止, ‘./nginx/sbin/nginx ’啓動,然後就好了。