Nginx 启用 https

在nginx.conf中增加新server配置

    server {
        listen 443;
        server_name www.some.com;
        ssl on;
        ssl_certificate sslkey/some.com.crt;
        ssl_certificate_key sslkey/some.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_pass http://tomcat_www;
        }
        access_log logs/www-ssl.access.log main;
    }

对于需要强制跳转的80端口访问, 使用

    server {
        listen       80;
        server_name www.some.com;
        location / {
            root   /var/www/html;
            index  index.html; # meta jump to https
        }
        access_log logs/www.access.log main;
    }

index.html使用

<html>
<meta http-equiv="refresh" content="0;url=https://www.some.com/">
</html>

 

其他的跳转方案一:

    server {  
        listen  192.168.1.111:80;  
        server_name test.com;  
          
        rewrite ^(.*)$  https://$host$1 permanent;  
    }  

方案二

    server {  
        listen       192.168.1.11:443;  #ssl端口  
        listen       192.168.1.11:80;   #用户习惯用http访问，加上80，后面通过497状态码让它自动跳到443端口  
        server_name  test.com;  
        #为一个server{......}开启ssl支持  
        ssl                  on;  
        #指定PEM格式的证书文件   
        ssl_certificate      /etc/nginx/test.pem;   
        #指定PEM格式的私钥文件  
        ssl_certificate_key  /etc/nginx/test.key;  
          
        #让http请求重定向到https请求   
        error_page 497  https://$host$uri?$args;  
    }  

使用openssl 给nginx生成证书

#!/bin/sh

# Preparing directories and files
mkdir demoCA/private
mkdir demoCA/newcerts
touch demoCA/index.txt
echo -e "01\n" >> demoCA/serial

read -p "Enter your Organization [RockBB]: " ORGANIZATION
read -p "Enter your Organization Unit [Board]: " ORGANIZATION_UNIT
read -p "Enter your domain [www.example.com]: " DOMAIN
read -p "Enter your client name [client]: " CLIENT_NAME
read -p "Enter your p12 password [111111]: " PASSWORD
SUBJECT="/C=CN/ST=Beijing/L=Chaoyang/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$DOMAIN"
echo ""
echo "create self-signed certificate:"
# create private server key
openssl genrsa -out demoCA/private/cakey.pem 2048
# self-signed certificate
openssl req -new -subj $SUBJECT -x509 -key demoCA/private/cakey.pem -out demoCA/cacert.pem -days 3655

echo ""
echo "create server certificate:"
openssl genrsa -out $DOMAIN.key 1024
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
openssl ca -in $DOMAIN.csr -out $DOMAIN.crt -days=3650

echo ""
echo "create client certificate"
SUBJECT_CLIENT="/C=CN/ST=Beijing/L=Chaoyang/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$CLIENT_NAME"
openssl genrsa -out $DOMAIN.client.key 1024
openssl req -new -subj $SUBJECT_CLIENT -key $DOMAIN.client.key -out $DOMAIN.client.csr
openssl ca -batch -in $DOMAIN.client.csr -out $DOMAIN.client.crt -days=3650
openssl pkcs12 -export -clcerts -in $DOMAIN.client.crt -inkey $DOMAIN.client.key -out $DOMAIN.client.p12 -pasword pass:$PASSWORD

echo ""
echo "Update the Nginx configuration:"

: <<'END'
upstream tomcat_admin {
    server 10.1.1.3:8080;
}
server {
    listen       80;
    server_name www.rockbb.com;
    location / {
        rewrite ^(.*)$ https://$host$1 permanent;
    }
    access_log logs/www.access.log main;
}
server {
    listen       443;
    server_name www.rockbb.com;
    ssl on;
    ssl_certificate sslkey/www.rockbb.com.crt;
    ssl_certificate_key sslkey/www.rockbb.com.key;
    ssl_client_certificate sslkey/www.rockbb.com.cacert.pem;
    ssl_session_timeout 5m;
    ssl_verify_client on;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://tomcat_admin;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    access_log logs/www-ssl.access.log main;
}
END