线上nginx 配置https 且http访问时转为https

运维相关  2023年7月2日 14:15 693 浏览 评论

通过在linux生成的证书,来配置nginx支持 https,通过配置重定向当访问 http 时转向到 https;

修改部分的ssl_protocols、ssl_ciphers 内容用于支持如某些IE浏览器可能对普通配置的https不支持;

server {
         listen    80;
         server_name  www.domain.com domain.com;

         rewrite ^(.*) https://$host$1 permanent;
    }


    # HTTPS server
    #
    server {
        #listen      80;
        listen       443 ssl;
        #listen       [::]:443 ssl http2 default_server;
        server_name  www.domain.com domain.com;
        #ssl on;

        ssl_certificate      /usr/local/nginx/cert/server.crt;
        ssl_certificate_key  /usr/local/nginx/cert/server.key;

        ssl_protocols  SSLv2 SSLv3 TLSv1.2;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        ssl_prefer_server_ciphers  on;

        location / {

            proxy_pass http://proxy_server;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-Forwarded-Proto https;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_redirect off;
            proxy_connect_timeout      240;
            proxy_send_timeout         240;
            proxy_read_timeout         240;

        }

        error_page   500 502 503 504 404 /error.html;
        location = /error.html {
            root /usr/local/nginx/html;
        }

    }

支持 ie浏览器访问 https的配置:

listen       443 ssl;
        #listen       [::]:443 ssl http2 default_server;
        server_name  www.zgdwxd.com zgdwxd.com;
        #ssl on;

        ssl_certificate      /usr/local/nginx/cert/server.crt;
        ssl_certificate_key  /usr/local/nginx/cert/server.key;

        ssl_protocols  TLSv1.2 TLSv1.1 TLSv1 SSLv3;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
        # ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256:AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
        #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:AES256+EDH;
        ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS;
        ssl_prefer_server_ciphers  on;

注意: ssl_protocols (修改该值后访问正常)

以及 ssl_ciphers

文章标签:
欢迎您的到来,感谢您的支持!

为您推荐

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注