nginx配置ssl证书

关于linux安装nginx本文不进行说明，默认为已安装完成。

先生成nginx可用的公钥秘钥，公钥格式一般为.crt或.pem，秘钥格式为.key。

将公钥秘钥复制到/nginx/conf目录。

修改nginx.conf如下，ps：下文域名均以百度为例，实际以自己域名为准。

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;
    
    server {
        listen       80;
        server_name  baidu.com; #填写自己的域名，以百度网址为例
                
    rewrite ^(.*)$  https://$host$1 permanent;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    # HTTPS 配置
    server {  
        listen 443;  
        server_name popkeeper.cn; #网站域名
      
        ssl on;  
        ssl_certificate www.baidu.com.pem; #填写证书公钥的文件全名
        ssl_certificate_key www.baidu.com.key; #填写证书私钥的文件全名
        ssl_session_timeout 5m;
        #ssl_protocols SSLv2 SSLv3 TLSv1;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        #ssl_ciphers HIGH:!aNULL:!MD5;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

        # 配置如下可访问路径 www.baidu.com/resource/ 
        # 一般用于存放h5项目或者静态图片音频资源等
        location /resource/ {
            root   /usr/local/nginx/html/;
            index  index.html index.htm;
        }

        # 下面是配置转发，通过域名访问可转发至下方的10010端口，一般用以转发至当前服务器的java服务等
        location / {
            proxy_pass http://localhost:10010;  
            proxy_redirect default;      
            #设置主机头和客户端真实地址，以便服务器获取客户端真实IP
            proxy_set_header Host $host;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        } 
    }
}