一、java后台接口配置SSL
拷贝证书文件到 /etc/nginx 文件夹下,nginx配置文件如下
server {
listen 4433;
server_name localhost;
ssl on;
#ssl_certificate xxxxxxx.crt;
#ssl_certificate_key xxxxxxx.rsa;
ssl_certificate xxxxxxxxxxxx.com.pem;
ssl_certificate_key xxxxxxxxxxxx.com.key;
ssl_session_timeout 5m;
#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location ~ /api/(.*) {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8080;
}
}
二、前台打包好的静态文件配置SSL
拷贝证书文件到 /etc/nginx 文件夹下,nginx配置文件如下
upstream xanadu{
server localhost:8080;
}
server {
set $PROXYPASS http://xx.xx.xx.xx:8000;
set $FRONTPATH /home/userpt/web-ui;
listen 443 ssl;
listen localhost;
#证书文件名称
ssl_certificate xxxxxxxxxxxx.crt;
#私钥文件名称
ssl_certificate_key xxxxxxxxxxxx.key;
ssl_session_timeout 5m;
#请按照这个协议配置
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#请按照这个套件配置,配置加密套件,写法遵循 openssl 标准。
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
root $FRONTPATH;
index index.html;
location = / {
root $FRONTPATH;
}
location ~* .(css|js|jpg|jpeg|gif|png|ico|swf|htm|html|json|xml|svg|woff|ttf|eot|map|woff2)$ {
if (-f $request_filename) {
root $FRONTPATH;
expires 30d;
break;
}
if ( !-e $request_filename) {
proxy_pass $PROXYPASS;
}
}
proxy_pass $PROXYPASS;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}