https实现三种方式

https实现三种方式

1.单个ECS/nginx配置https

单个ECS，添加域名证书【公网/私有】，并添加跳转https

server {
        listen 80;
        server_name www.weirui.com;
        return  302 https://$server_name$request_uri;
}
server  {
        listen 443 ssl；
        server_name  www.weirui.com;
        ssl_certificate  key;
        ssl_certificate_key server.key;
        location / {
            index index.php;
        }
}

2.SLB+ECS

user 》 https 》 SLB > http > web_cluster
user 》 https 》 SLB > https > web_cluster

#负载均衡
upstream  web_cluster {
        server xx:80;
        server xx:80;
}
server {
        listen 80;
        server_name www.weirui.com;
        return  302 https://$server_name$request_uri;
}
 server  {
        listen 443 ssl；
        server_name  www.weirui.com;
        ssl_certificate  key;
        ssl_certificate_key server.key;
        location / {
            proxy_pass  http://web_cluster;
            proxy_set_Header Host $http_host;
        }
}



#web_cluster

server {
        listen 80;
        server_name www.weirui.com;
        return  302 https://$server_name$request_uri;
}
server  {
        listen 443 ssl；
        server_name  www.weirui.com;
        ssl_certificate  key;
        ssl_certificate_key server.key;
        location / {
            index index.php;
        }
}

3.CDN+SLB+ECS

1.公网证书
2.需要SLB添加证书，将SLB的80端口删除
3.为SLB配置基于HTTPS的访问
4.将SLB的HTTP转到HTTPS
5.上传CDN的HTTPS

注：
若前端是https后端是http，那么需要在后端配置允许支持https。
#vi /etc/nginx/nginx.conf
server {
    ...
    location ~ \.php {
        fastcgi_pass  127.0.0.1:9000;
        fastcgi_param SCRIPT_FILENAME $doucument_root$fastcgi_script_name;
        include  fastcgi_param;
        fastcgi_param   HTTPS  on;
    }
}

配置校验

#nginx -t
#nginx -s  reload

或
#systemctl daemon-reload
#systemctl restart nginx