nginx ssl证书配置

1.首先,要配置dns域名解析,二级域名绑定的IP要对。

2.本地ping配置好的域名,确认返回目标IP是nginx所在的服务器的公网IP。

3.申请证书并下载,一般选择nginx。

4.上传证书到nginx并配置域名证书:域名默认走80端口,如下:

upstream gateway {
    server 127.0.0.1:30000;
}
server {
    listen 80;
    server_name admin.cjxqtalents.cn;
    return 301 https://$host$request_uri;
    location / {
        index index.html index.htm;
        try_files $uri $uri/ /index.html;
    }
}

server {
    listen 443 ssl;
    server_name admin.cjxqtalents.cn;
    ssl_certificate /usr/local/nginx/cert/scs1728461315872_admin.cjxqtalents.cn_server.crt;
    ssl_certificate_key /usr/local/nginx/cert/scs1728461315872_admin.cjxqtalents.cn_server.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    underscores_in_headers on;

    location / {
        try_files $uri $uri/ /index.html;
        root /data/wwwroot/dist;
        index index.php index.html index.htm default.php default.htm default.html;
    }

    location ~ ^/(\.user.ini|\.htaccess|\.git|\.env|\.svn|\.project|LICENSE|README.md) {
        return 404;
    }

    location ~ \.well-known {
        allow all;
    }

    location /DataV {
        try_files $uri $uri/ /DataV/index.html;
    }

    client_max_body_size 100m;

    proxy_set_header Cookie $http_cookie;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_header_buffer_size 128k;
    large_client_header_buffers 4 128k;

    add_header Access-Control-Allow-Methods 'GET,PUT,POST,DELETE,OPTIONS';
    add_header Access-Control-Max-Age 3600;
    add_header Access-Control-Allow-Credentials true;
    add_header Access-Control-Allow-Origin $http_origin;
    add_header Access-Control-Allow-Headers $http_access_control_request_headers;

    location /api/ {
        proxy_pass http://gateway/api/;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }

    location /websocket {
        proxy_pass http://gateway/api/message/websocket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_read_timeout 600s;
    }

    location /ReportServer/ {
        proxy_pass http://gateway;
        proxy_read_timeout 2700;
        proxy_send_timeout 2700;
    }

    location /FileServer {
        proxy_pass http://172.21.32.11:30090;
    }

    location ~ /FileServer/*.*\.(js|css)?$ {
        proxy_pass http://172.21.32.11:30090;
    }
}

server {
    listen 80;
    server_name www.cjxqtalents.cn;
    return 301 https://$host$request_uri;
    location / {
        index index.html index.htm;
        try_files $uri $uri/ /index.html;
    }
}

server {
    listen 443 ssl;
    server_name www.cjxqtalents.cn;
    ssl_certificate /usr/local/nginx/cert/scs1728461254489_www.cjxqtalents.cn_server.crt;
    ssl_certificate_key /usr/local/nginx/cert/scs1728461254489_www.cjxqtalents.cn_server.key;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    underscores_in_headers on;

    location / {
        try_files $uri $uri/ /index.html;
        root /data/wwwroot/cjxq/dist;
        index index.php index.html index.htm default.php default.htm default.html;
    }

    client_max_body_size 100m;

    proxy_set_header Cookie $http_cookie;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    client_header_buffer_size 128k;
    large_client_header_buffers 4 128k;

    add_header Access-Control-Allow-Methods 'GET,PUT,POST,DELETE,OPTIONS';
    add_header Access-Control-Max-Age 3600;
    add_header Access-Control-Allow-Credentials true;
    add_header Access-Control-Allow-Origin $http_origin;
    add_header Access-Control-Allow-Headers $http_access_control_request_headers;

    location /api/ {
        proxy_pass http://gateway/api/;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }

    location /FileServer {
        proxy_pass http://172.21.32.11:30090;
    }

    location ~ /FileServer/*.*\.(js|css)?$ {
        proxy_pass http://172.21.32.11:30090;
    }
}

5.重启nginx使配置生效,访问域名进行验证。

6.如果要同时支持域名和ip加端口的方式访问应用,可以在目录下再创建一个子配置文件配置IP端口形式的访问,并重启nginx使之生效。

=================================================================================================================================

==================================================================================================================================

配置不生效的常见原因:

1.域名解析没有配置好,检查返回的IP地址是否正确。

2.下载证书的类型是否正确,比如用的nginx服务器下载的apache;证书上传到nginx后没有授权。

3.nginx子站点配置文件证书配置路径不对,跟证书上传路径不一致。

4.http配置的listen端口配置的不是80,默认就是80。

5.https配置的站点的部署目录不对。

6.nginx服务器的iptables和firewalld防火墙没有放行端口。

7.端口映射没有配置,外网的443到内网nginx的443以及外网的80到内网nginx的80没有开通,网络没有打通。

8.nginx部署的时候没有安装ssl组件,所以即使配置了ssl也没有生效。

posted @ 2024-10-15 14:36  追梦boyaaa  阅读(242)  评论(0编辑  收藏  举报