zoukankan      html  css  js  c++  java
  • Nginx的https配置记录以及http强制跳转到https的方法梳理

    一、Nginx安装(略)
    安装的时候需要注意加上 --with-http_ssl_module,因为http_ssl_module不属于Nginx的基本模块。
    Nginx安装方法:

    1
    2
    # ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
    # make && make install

    二、生成证书(略)
    可以使用openssl生成证书:
    比如生成如下两个证书文件(假设存放路径为/usr/local/nginx/cert/):
    wangshibo.crt
    wangshibo.key

    三、修改Nginx配置
    server {
              listen 443;
              server_name www.wangshibo.com;
              root /var/www/vhosts/www.wangshibo.com/httpdocs/main/;

              ssl on;
              ssl_certificate /usr/local/nginx/cert/wangshibo.crt;
              ssl_certificate_key /usr/local/nginx/cert/wangshibo.key;
              ssl_session_timeout 5m;
              ssl_protocols SSLv2 SSLv3 TLSv1;
              ssl_ciphers HIGH:!aNULL:!MD5;                                            //或者是ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
              ssl_prefer_server_ciphers on;

              access_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_ssl.log main;
              error_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_error_ssl.log;

             if ($remote_addr !~ ^(124.165.97.144|133.110.186.128|133.110.186.88)) {           //对访问的来源ip做白名单限制
                    rewrite ^.*$ /maintence.php last;
             }

             location ~ .php$ {
                  fastcgi_pass 127.0.0.1:9000;
                  fastcgi_read_timeout 300;
                  fastcgi_index index.php;
                  fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
                 #include fastcgi_params;
                 include fastcgi.conf;
             }
    }

    例如将所有的dev.wangshibo.com域名的http访问强制跳转到https。

        下面配置均可以实现:
     
    配置1:
    server {
        listen 80;
        server_name dev.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
         
        rewrite ^(.*)$  https://$host$1 permanent;        //这是ngixn早前的写法,现在还可以使用。
      
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }
     
    -------------------------------------------------------
    上面的跳转配置rewrite ^(.*)$  https://$host$1 permanent;
    也可以改为下面
    rewrite ^/(.*)$ http://dev.wangshibo.com/$1 permanent;
    或者
    rewrite ^ http://dev.wangshibo.com$request_uri? permanent;
    -------------------------------------------------------
     
    配置2:
    server {
        listen 80;
        server_name dev.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
     
        return      301 https://$server_name$request_uri;      //这是nginx最新支持的写法
      
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }
     
     
    配置3:这种方式适用于多域名的时候,即访问wangshibo.com的http也会强制跳转到https://dev.wangshibo.com上面
    server {
        listen 80;
        server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
         
        if ($host ~* "^wangshibo.com$") {
        rewrite ^/(.*)$ https://dev.wangshibo.com/ permanent;
        }
      
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }
     
     
    配置4:下面是最简单的一种配置
    server {
        listen 80;
        server_name dev.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
         
        if ($host = "dev.wangshibo.com") {
           rewrite ^/(.*)$ http://dev.wangshibo.com permanent;
        }
     
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }

    ---------------二、采用nginx的497状态码---------------------

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    497 - normal request was sent to HTTPS 
    解释:当网站只允许https访问时,当用http访问时nginx会报出497错误码
      
    思路:
    利用error_page命令将497状态码的链接重定向到https://dev.wangshibo.com这个域名上
     
    配置实例:
    如下访问dev.wangshibo.com或者wangshibo.com的http都会被强制跳转到https
    server {
        listen 80;
        server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
         
        error_page 497  https://$host$uri?$args; 
      
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }
     
     
    也可以将80和443的配置放在一起:
    server { 
        listen       127.0.0.1:443;  #ssl端口 
        listen       127.0.0.1:80;   #用户习惯用http访问,加上80,后面通过497状态码让它自动跳到443端口 
        server_name  dev.wangshibo.com; 
        #为一个server{......}开启ssl支持 
        ssl                  on; 
        #指定PEM格式的证书文件  
        ssl_certificate      /etc/nginx/wangshibo.pem;  
        #指定PEM格式的私钥文件 
        ssl_certificate_key  /etc/nginx/wangshibo.key; 
           
        #让http请求重定向到https请求  
        error_page 497  https://$host$uri?$args; 
     
        location ~ / {
        root /var/www/html/8080;
        index index.html index.php index.htm;
        }
        }

    ---------------三、利用meta的刷新作用将http跳转到https---------------------

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    上述的方法均会耗费服务器的资源,可以借鉴百度使用的方法:巧妙的利用meta的刷新作用,将http跳转到https
    可以基于http://dev.wangshibo.com的虚拟主机路径下写一个index.html,内容就是http向https的跳转
     
    将下面的内容追加到index.html首页文件内
    [root@localhost ~]# cat /var/www/html/8080/index.html
    <html> 
    <meta http-equiv="refresh" content="0;url=https://dev.wangshibo.com/"
    </html>
     
    [root@localhost ~]# cat /usr/local/nginx/conf/vhosts/test.conf
    server {
        listen 80;
        server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;
        index index.html index.php index.htm;
       
        access_log  /usr/local/nginx/logs/8080-access.log main;
        error_log  /usr/local/nginx/logs/8080-error.log;
         
        #将404的页面重定向到https的首页 
        error_page  404 https://dev.wangshibo.com/;  
      
        location ~ / {
        root /var/www/html/8080;         
        index index.html index.php index.htm;
        }
        }

    -----------------------------------------------------------------------------------------------------------------------------
    下面是nginx反代tomcat,并且http强制跳转至https。
    访问http://zrx.wangshibo.com和访问http://172.29.34.33:8080/zrx/结果是一样的

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    [root@BJLX_34_33_V vhosts]# cat zrx.conf
    server {
        listen 80;
        server_name zrx.wangshibo.com;
        index index.html index.php index.htm;
        
        access_log  logs/access.log;
        error_log   logs/error.log;
      
        return      301 https://$server_name$request_uri;     
         
        location ~ / {
        root /data/nginx/html;
        index index.html index.php index.htm;
        }
        }
     
     
    [root@BJLX_34_33_V vhosts]# cat ssl-zrx.conf
    upstream tomcat8 {
        server 172.29.34.33:8080 max_fails=3 fail_timeout=30s;
    }
     
    server {
       listen 443;
       server_name zrx.wangshibo.com;
       ssl on;
     
       ### SSL log files ###
       access_log logs/ssl-access.log;
       error_log logs/ssl-error.log;
     
    ### SSL cert files ###
       ssl_certificate ssl/wangshibo.cer;     
       ssl_certificate_key ssl/wangshibo.key;  
       ssl_session_timeout 5m;
     
       location / {
       proxy_pass http://tomcat8/zrx/;                                     
       proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
       proxy_set_header Host $host;
       proxy_set_header X-Real-IP $remote_addr;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_set_header X-Forwarded-Proto https;
       proxy_redirect off;
    }
    }

    ---------------四、通过proxy_redirec方式---------------------

    1
    2
    3
    解决办法:
    # re-write redirects to http as to https, example: /home
    proxy_redirect http:// https://;
     
  • 相关阅读:
    【Azure 应用服务】由 Azure Functions runtime is unreachable 的错误消息推导出 ASYNC(异步)和 SYNC(同步)混用而引起ThreadPool耗尽问题
    【Azure API 管理】是否可以将Swagger 的API定义导入导Azure API Management中
    【Azure 应用服务】Azure Function 不能被触发
    【Azure 环境】Azure Key Vault (密钥保管库)中所保管的Keys, Secrets,Certificates是否可以实现数据粒度的权限控制呢?
    【Azure 事件中心】为应用程序网关(Application Gateway with WAF) 配置诊断日志,发送到事件中心
    【Azure 事件中心】azure-spring-cloud-stream-binder-eventhubs客户端组件问题, 实践消息非顺序可达
    【Azure API 管理】Azure API Management通过请求中的Path来限定其被访问的频率(如1秒一次)
    【Azure 环境】前端Web通过Azure AD获取Token时发生跨域问题(CORS Error)
    【Azure 应用服务】记一次Azure Spring Cloud 的部署错误 (az spring-cloud app deploy -g dev -s testdemo -n demo -p ./hellospring-0.0.1-SNAPSHOT.jar --->>> Failed to wait for deployment instances to be ready)
    【Azure 应用服务】App Service中抓取 Web Job 的 DUMP 办法
  • 原文地址:https://www.cnblogs.com/interdrp/p/9246728.html
Copyright © 2011-2022 走看看