前言

设置这个是比较好用的。代理的话,最好是以跑 https 做测试。如果想弄个免费的证书的话,点击我

一、证书上传

上传直接可以通过 finalShell 工具,证书放在:/etc/ssl/certs/证书名.pem;

二、配置http重定向https

进入到
cd /usr/local/nginx/conf/
编辑
vi nginx.conf
找到 server 是 80的。加上重定向到https上面
# 省略代码块
 server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;
        rewrite ^(.*)$  https://$host$1 permanent; #用于将http页面重定向到https页面
        location / {
            root   html;
            index  index.html index.htm;
        }
    # 省略代码块
加上了后,在找到注释的:# HTTPS server 。将下面的一段话http的注释打开,然后更改ssl地址
    # 省略代码块 。找到 HTTPS server注释,下面全部打开
    # HTTPS server
    server {
       listen       443 ssl;
       server_name  localhost;

       ssl_certificate      /etc/ssl/certs/4489861_www.lolku.cn.pem;
       ssl_certificate_key  /etc/ssl/certs/4489861_www.lolku.cn.key;

       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;

       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;

       location / {
           root   html;
           index  index.html index.htm;
       }
    }

三、重新启动配置

重启后,就可以在页面上跑了。
/usr/local/nginx/sbin/nginx -s reload

四、二级域名https代理

前面只是讲解当前一级域名https的请求。根据http二级域名经验,进行制作二级https二级域名。都是一样的,只要后面新增一个新的,然后再代理上新的就好了(注意:一定是在第一个server的后面新增server)。比如:
worker_processes  1;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;
    keepalive_timeout  65;
    server {
        listen       80;
        server_name  localhost;
        rewrite ^(.*)$  https://$host$1 permanent; #用于将http页面重定向到https页面
        location / {
            root   html;
            index  index.html index.htm;
        }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
    # 只能在后面新增,不能放在前面
    server {
        listen 80;  # 端口
        server_name api.xxxx.cn; # 域名
        rewrite ^(.*)$  https://$host$1 permanent; #用于将http页面重定向到https页面
        location / {
            proxy_pass http://localhost:3000; # 代理的地方
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
        }
    }
    # # HTTPS server
    # #
    server {
       listen       443 ssl;
       server_name  localhost;
       ssl_certificate      /etc/ssl/certs/xxxxx.pem;
       ssl_certificate_key  /etc/ssl/certs/xxxxx.key;
       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;
       location / {
           root   html;
           index  index.html index.htm;
       }
    }
    # 只能在后面新增,不能放在前面
    server {
       listen       443 ssl;
       server_name  api.xxx.cn;
       ssl_certificate      /etc/ssl/certs/xxxxxx.pem;
       ssl_certificate_key  /etc/ssl/certs/xxxxxx.key;
       ssl_session_cache    shared:SSL:1m;
       ssl_session_timeout  5m;
       ssl_ciphers  HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers  on;
       location / {
            proxy_pass http://localhost:3000; # 代理的地方
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_cache_bypass $http_upgrade;
       }
    }
}

五、访问

访问 http://xxx.cn 是可以的,然后api.xxx.cn 会报危险警告,原因在于代理的 proxy_pass http://localhost:3000; 这个地址是 http 不是https,所以有问题。解决方案:http://locakhost:3000 换成 https://locakhost:3000 或者改成 https://xxx.cn:3000

六、重启下配置

注意:每次更改下配置都得重新启动下
/usr/local/nginx/sbin/nginx -s reload

【原地址】: https://lolku.cn/web/details/posts/39


老程
1 声望0 粉丝