【Nginx】https及域名公用

实际项目中有以下需求：

1.此项目有两个网站，一个是官网：www.site2.com,一个是后台管理网站：www.site1.com

2.此项目前后端分离，数据都是通过一个接口服务读取。

3.此项目只有一个单域名ssl证书，但是要保证官网、后台、数据接口都可以通过https访问。

思路：

1.将ssl证书指向到官网，www.site2.com。

　　listen 443 ssl;
    server_name  www.site2.com; // 对www.site2.com进行ssl认证

    ssl_certificate ../ssl/server.crt;
    ssl_certificate_key ../ssl/server.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

　　 // 访问www.site2.com，指向官网website目录
    location / {
        root ../website;
        index index.html;
        
        proxy_redirect off ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

　　

2.将数据接口和后台作为官网的下级平台。通过www.site2.com/sub和www.site2.com/api，访问后台和数据接口。

    // 访问www.site2.com/api，指向内部接口服务
    location /api/ {
        proxy_pass http://localhost:5001/;
        
        proxy_redirect off ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    
    // 访问www.site2.com/sub，指向后台 web/sub目录
    location /sub {
        # proxy_pass http://www.site1.com/;
        
        root ../web;
        index index.html;
        
        proxy_redirect off ;
        proxy_set_header host $host;
        proxy_set_header x-real-ip $remote_addr;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }

3.当用户访问www.site1.com的http地址时，直接重定向到https://www.site2.com/sub

// 访问www.site1.com，重定向到https://www.site2.com/sub
server {
    listen       80;
    server_name  www.site1.com;
    rewrite ^(.*)$  https://www.site2.com/sub;
}

4.当用户访问www.site2.com的http地址时，直接重定向到https://www.site2.com

// 访问www.site2.com，重定向到https://www.site2.com
server {
    listen       80;
    server_name  www.site2.com;
    rewrite ^(.*)$  https://$host$1 permanent; 
}

　　

完整配置如下：

// 访问www.site1.com，重定向到https://www.site2.com/sub
server {
    listen       80;
    server_name  www.site1.com;
    rewrite ^(.*)$  https://www.site2.com/sub;
}

// 访问www.site2.com，重定向到https://www.site2.com
server {
    listen       80;
    server_name  www.site2.com;
    rewrite ^(.*)$  https://$host$1 permanent; 
}

server {
    listen 443 ssl;
    server_name  www.site2.com; // 对www.site2.com进行ssl认证

    ssl_certificate ../ssl/server.crt;
    ssl_certificate_key ../ssl/server.key;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    // 访问www.site2.com/api，指向内部接口服务
    location /api/ {
        proxy_pass http://localhost:5001/;
        
        proxy_redirect off ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    
    // 访问www.site2.com/sub，指向后台 web/sub目录
    location /sub {
        # proxy_pass http://www.site1.com/;
        
        root ../web;
        index index.html;
        
        proxy_redirect off ;
        proxy_set_header host $host;
        proxy_set_header x-real-ip $remote_addr;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
    
    // 访问www.site2.com，指向官网website目录
    location / {
        root ../website;
        index index.html;
        
        proxy_redirect off ;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}