nginx https 配置样例

  • 站点nginx https 配置模板
    • 第一章 nginx 支持https 配置样例
    • 其他 相关链接地址

第一章 nginx 支持https 配置样例

  • 说明:https 段配置参数说明
Server 段::
listen 443 http2 spdy; #侦听443端口,并按照http2.0、spdy、http1.1 的顺序进行适用协议匹配,向下兼容。
ssl on; #开启ssl
ssl_certificate ../ssl/58_com-key/server.pem; #指定证书位置(线下测试证书在ssl.tar包里,需要将tar包上传至linux服务器上解压,在子目录中选用一套证书及私钥使用,推荐使用58_com-key下的证书和私钥)
ssl_certificate_key ../ssl/58_com-key/server.key; #指定证书私钥位置
ssl_session_timeout 10m; # ssl session超时时间
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #ssl 链路支持协议
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; #ssl加密支持套件
ssl_prefer_server_ciphers on;#优先匹配服务端加密套件 location 段:
proxy_set_header HTTPS-Tag "HTTPS"; #设置HTTPS_TAG标识,方便程序认读
proxy_set_header X-Forwarded-Proto $scheme; #设置协议头传递变量 使用X-Forwarded-Proto进行协议的判定识别,需要在tomcat配置中添加内容:#使用X-Forwarded-Proto传递协议的条件是因为:在使用相对协议做跳转时,程序需要读取协议头再做跳转。而代理传递给后端的协议永远都是http协议,而真正的协议头https并没有传递成功。$scheme变量可以获取到用户访问使用的真正协议。将$scheme 变量赋值给 X-Forwarded_Proto 变量向后端(tomcat)传递协议可以避免这个问题。但是这时候tomcat使用X-Forwarded-For来获取用户IP可能存在问题。需要更换获取变量为X-Real-IP。
Tomcat-server.xml配置:
在Engine段添加: <Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="X-Forwarded-For" protocolHeader="X-Forwarded-Proto" protocolHeaderHttpsValue="https"/>

线上配置样例:

HTTP-80 段详细配置:文章来源地址:https://www.yii666.com/article/754137.html

server {
listen 80;
server_name example.58.com;
access_log /opt/log/nginx/example.58.com/example.58.com_access.log main;
error_log /opt/log/nginx/example.58.com/example.58.com_error.log error;
charset utf-8; #### by dongange ####
set $remote_address $http_x_forwarded_for; if ( $remote_address !~ "[0-9]" ) {
set $remote_address $remote_addr;
}
#### ----------- #### location / {
proxy_pass http://example_pool;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_address;
proxy_set_header HTTPS-Tag "HTTP";
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 404 = http://404.58.com/404.html?from=$host$request_uri;
}

HTTPS-443 段详细配置配置:网址:yii666.com<网址:yii666.com

server {
listen 443 http2 spdy;
server_name example.58.com;
access_log /opt/log/nginx/example.58.com/example.58.com_https_access.log main;
error_log /opt/log/nginx/example.58.com/example.58.com_https_error.log error;
charset utf-8; ssl on;
ssl_certificate ../ssl/58_com-key/server.pem;
ssl_certificate_key ../ssl/58_com-key/server.key;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_prefer_server_ciphers on; #### by dongange ####
set $remote_address $http_x_forwarded_for; if ( $remote_address !~ "[0-9]" ) {
set $remote_address $remote_addr;
}
#### ----------- #### location / {
proxy_pass http://example_pool;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_address;
proxy_set_header HTTPS-Tag "HTTPS";
proxy_set_header X-Forwarded-Proto $scheme;
}
error_page 404 = https://404.58.com/404.html?from=$host$request_uri;
}

其他 相关链接地址

1.openssl 命令用法介绍:http://blog.csdn.net/as3luyuan123/article/category/1743855/1 
2.证书导入:
windows系统:http://jingyan.baidu.com/article/4e5b3e1954379c91911e2451.html 
安卓手机:http://zhidao.baidu.com/link?url=bW1gDIxfiQ4OMcyhPxY53Qxo8B0DLst5GD-n_N4Tz5bfdNmKoIpr6saUe2s8uv_OXURPh_PV1sXjQA8B7wXFHq 
3.CA原理:http://yale.iteye.com/blog/1675344 
4.nginx ssl相关:http://www.oschina.net/translate/strong_ssl_security_on_nginx文章来源地址https://www.yii666.com/article/754137.html文章地址https://www.yii666.com/article/754137.html

版权声明:本文内容来源于网络,版权归原作者所有,此博客不拥有其著作权,亦不承担相应法律责任。文本页已经标记具体来源原文地址,请点击原文查看来源网址,站内文章以及资源内容站长不承诺其正确性,如侵犯了您的权益,请联系站长如有侵权请联系站长,将立刻删除

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信图片_20190322181744_03.jpg

微信扫一扫打赏

请作者喝杯咖啡吧~

支付宝扫一扫领取红包,优惠每天领

二维码1

zhifubaohongbao.png

二维码2

zhifubaohongbao2.png