nginx配置证书实现HTTPS

本地配置

1
2
3
4
5
6
7
8
cd /usr/local/nginx
# 创建服务器私钥,命令会让你输入一个口令
openssl genrsa -des3 -out server.key 1024
# 创建签名请求的证书(CSR)
openssl req -new -key server.key -out server.csr
# 设置信息
# 最后标记证书使用上述私钥和CSR
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
1
2
3
4
5
6
7
8
9
10
11
12
13
server {
  listen       443 ssl;
  server_name  work.com;
  index   index.html;
  ssl                  on;
  ssl_certificate      /etc/nginx/server.crt;
  ssl_certificate_key  /etc/nginx/server.key;
  ssl_session_timeout  5m;
  location / {
    root   /usr/local/web/;
    add_header 'Cache-Control' 'no-store';
  }
}

云服务器配置

1. 申请证书

1
2
4122000_www.xxx.com.pem
4122000_www.xxx.com.key

2. 配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /usr/local/nginx/conf/4122000_www.xxx.com.pem;
    ssl_certificate_key  /usr/local/nginx/conf/4122000_www.xxx.com.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers code;  #使用此加密套件
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;   #使用该协议进行配置
    ssl_prefer_server_ciphers  on;

    location /server/ {
      proxy_pass http://localhost:3920/;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_redirect default ;
      client_max_body_size 200m;
    }
}