nginx 使用“通配符证书”配置多个 https 的域名
一般配置 https 需要一个证书对应一个域名,一个证书只能用于一个域名;但是有一种叫做“通配符证书”(英文叫:Wildcard certificate)的证书,可以一个证书,配置 n 个二级域名,例如:
一般的:
www.baidu.com
通配符证书:
*.baidu.com
然后 nginx 中,nginx.conf 文件:(用 docker 安装的,和原始方式略有不同,但问题不大,主要是 server 部分的配置,使用 include 引入 server 部分)
user nginx; worker_processes auto; error_log /var/log/nginx/error.log notice; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; include /etc/nginx/conf.d/*.conf; }
再看 server 部分配置:
假如有一个域名: xxxx.hk ,现在其下有两个二级域名:
web.xxxx.hk 想指向:http://xx.xx.xx.xx:8080
app.xxxx.hk 想指向:http://xx.xx.xx.xx:8081
然后现在有一份通配符证书:
xxxx.crt
xxxx.key
就可以新建两个 443 端口的 server ,同时配置这个证书(两个 80 端口的 server 是为了强转 http 的请求到 https 上)
server { listen 80; listen [::]:80; server_name web.xxxx.hk; rewrite ^(.*) https://$server_name$1 permanent; #access_log /var/log/nginx/host.access.log main; location / { proxy_pass http://xx.xx.xx.xx:8080; root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } server { listen 80; listen [::]:80; server_name app.xxxx.hk; rewrite ^(.*) https://$server_name$1 permanent; #access_log /var/log/nginx/host.access.log main; location / { proxy_pass http://xx.xx.xx.xx:8081; root /usr/share/nginx/html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } server { listen 443 ssl; server_name web.xxxx.hk; ssl_certificate /ssl/xxxx.crt; ssl_certificate_key /ssl/xxxx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://xx.xx.xx.xx:8080; root /usr/share/nginx/html; index index.html index.htm; } } server { listen 443 ssl; server_name app.xxxx.hk; ssl_certificate /ssl/xxxx.crt; ssl_certificate_key /ssl/xxxx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://xx.xx.xx.xx:8081; root /usr/share/nginx/html; index index.html index.htm; } }
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 全程不用写代码,我用AI程序员写了一个飞机大战
· DeepSeek 开源周回顾「GitHub 热点速览」
· 记一次.NET内存居高不下排查解决与启示
· 物流快递公司核心技术能力-地址解析分单基础技术分享
· .NET 10首个预览版发布:重大改进与新特性概览!