Nginx rewrite https
Nginx rewrite https
rewrite实现http跳转https
生成证书
创建私有证书 生成证书文件 #openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509-days 3650 -out ca.crt Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:weirui.Ltd Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname) []:ca.weirui.org Email Address []: 生成key和csr文件 #openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.weirui.vip.key -out www.weirui.vip.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:weirui.vip Organizational Unit Name (eg, section) []:weirui.vip Common Name (eg, your name or your server's hostname) []:weirui.vip Email Address []:1655841639@qq.com A challenge password []: An optional company name []: 签发证书 #openssl x509 -req -days 3650 -in www.weirui.vip.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.weirui.vip.crt Signature ok subject=/C=CN/ST=shanghai/L=shanghai/O=weirui.vip/OU=weirui.vip/CN=weirui.vip/emailAddress=1655841639@qq.com Getting CA Private Key 合并CA和服务器证书成一个文件,注意服务器证书在前 #cat www.weirui.vip.crt ca.crt > weirui.crt 查看证书内容 #openssl x509 -in www.weirui.vip.crt -noout -text
nginx配置
方式一
#cat /apps/nginx-1.18.0/conf.d/hsts.conf server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx-1.18.0/certs/www.weirui.vip.crt; ssl_certificate_key /apps/nginx-1.18.0/certs/www.weirui.vip.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; server_name www.weirui.vip; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; location / { root /apps/nginx-1.18.0/html; if ( $scheme = http ) { rewrite ^/(.*)$ https://www.weirui.vip/$1 redirect; } } }
方式二
#cat /apps/nginx-1.18.0/conf.d/https.conf server { listen 443 ssl; server_name www.weirui.vip; ssl on; ssl_certificate /apps/nginx-1.18.0/certs/www.weirui.vip.crt; ssl_certificate_key /apps/nginx-1.18.0/certs/www.weirui.vip.key; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /apps/nginx-1.18.0/certs/weirui.crt; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; add_header Strict-Transport-Security max-age=15768000; root /apps/nginx-1.18.0/html; } server { listen 80; server_name www.weirui.vip; return 301 https://$host$request_uri; location / { echo "$server_name:$server_port"; #需要echo第三方模块,使用curl验证跳转https } }
验证
#curl http://www.weirui.vip -I HTTP/1.1 302 Moved Temporarily Server: nginx/8.8.0 Date: Sat, 19 Mar 2022 11:32:44 GMT Content-Type: text/html Content-Length: 144 Connection: keep-alive Location: https://www.weirui.vip/ Strict-Transport-Security: max-age=31536000; includeSubDomains #curl http://www.weirui.vip -ILk HTTP/1.1 302 Moved Temporarily Server: nginx/8.8.0 Date: Sat, 19 Mar 2022 11:35:40 GMT Content-Type: text/html Content-Length: 144 Connection: keep-alive Location: https://www.weirui.vip/ Strict-Transport-Security: max-age=31536000; includeSubDomains HTTP/1.1 200 OK Server: nginx/8.8.0 Date: Sat, 19 Mar 2022 11:35:41 GMT Content-Type: text/html Content-Length: 16 Last-Modified: Sat, 19 Mar 2022 07:44:47 GMT Connection: keep-alive ETag: "623589ef-10" Strict-Transport-Security: max-age=31536000; includeSubDomains Accept-Ranges: bytes
