现有Nginx 添加 SSL (支持https)
Nginx 配置https
1、 查看nginx配置
nginx -t
image.png
2、使用vim查看配置
.......
.......
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
看最后一行include /etc/nginx/conf.d/*.conf; 便知nginx include 了./conf.d/ 下面的所有配置文件,因此我们也可以将配置文件放在./conf.d/ 目录下。
3、创建目录和配置文件
mkdir /etc/nginx/conf.d/
touch /etc/nginx/conf.d/xx.conf
在配置Https 之前,我们需要准备好购买的SSL证书文件,我使用的是阿里云提供的免费证书。
4、将证书文件传到服务器,我使用的xfttp将文件传输到服务器的/etc/nginx/ssl_certs/目录下面。现在该目录下有两个文件,xxx.pem 和 xxx.key。
5、将如下配置copy到配置文件中
server {
listen 443 ssl;
server_name www.aaa.com;
ssl_certificate /etc/nginx/ssl_certs/xxx.pem;
ssl_certificate_key /etc/nginx/ssl_certs/xxx.key;
#ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 80;
server_name www.aaa.com; # 你的域名
# 强制跳转https
rewrite ^(.*) https://$server_name$1 permanent;
}
6、最后重启 nginx, 使用 service nginx restart 命令重启。
Nginx 配置Http和Https共存
server {
listen 80 default backlog=2048;
listen 443 ssl;
server_name wosign.com;
root /var/www/html;
ssl_certificate /usr/local/Tengine/sslcrt/ wosign.com.crt;
ssl_certificate_key /usr/local/Tengine/sslcrt/ wosign.com .Key;
}
把ssl on;这行去掉,ssl写在443端口后面。这样http和https的链接都可以用
Nginx SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-
SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
网友评论