nginx配置https

1、使用openssl生成csr、key两个文件
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 域名点变下划线.csr -keyout webuser_dev2_xsyxsc_cn.key -subj "/C=CN/ST=HuNan/L=ChangSha/O=XingShengYouXuan Inc./OU=Web Security/CN=域名"
  • 此命令会在当前目录生成csr、key两个文件
  • ST:省或州
  • L:市
  • O:公司
  • OU:公司部门...
  • CN:你的域名
 
 
2、使用openssl再将csr文件解析为crt文件
openssl x509 -req -days 365 -in 域名点变下划线.csr -signkey 域名点变下划线.key -out 域名点变下划线.crt
 
 
3、在nginx中配置ssl映射关系
server{
        #ssl参数
        listen              443 ssl;
        server_name  域名;
        #证书文件
        ssl_certificate     /etc/nginx/域名点变下划线.crt;
        #私钥文件
        ssl_certificate_key /etc/nginx/域名点变下划线.key;
        charset utf-8;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        access_log   /etc/nginx/logs/https-user-access.log  main;
        location /api/user/payment  {
            proxy_set_header        Host  $Http_host;
            proxy_set_header        X-Real-IP                       $remote_addr;
            proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
            proxy_set_header        X-Queue-Start           "t=${msec}000";
            proxy_pass  http://IP:PORT/XXXX/payment/;
        }
 
 
}
server {
        listen       80;
        server_name  域名;
        charset utf-8;
        access_log   /etc/nginx/logs/user-access.log  main;
.......
 
4、需要运维添加443端口,然后打开防火墙
 
相关技术细节参考链接:
 
 
 
 
 
 
 
 
 
 
 
 
====================================================================================================================
 
测试环境一个完整的例子(注意反向代理)
====================================================================================================================
 


#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;


events {
worker_connections 1024;
}


http {
include mime.types;
default_type application/octet-stream;

#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';

#access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#gzip on;

server {
listen 80;
server_name 172.16.8.19 localhost;
#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root /home/html/armor-ui;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}

location /prod-api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE_HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 反向代理配置
proxy_pass http://localhost:8888/;
}

location /ftas {
root /home/html/ftasFont;
try_files $uri $uri/ /index.html;
index index.html index.htm;
}


error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}


# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}


# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;

# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;

# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}

}