需要使用 openssl !!!!!!!!!
首先,nginx在编译安装时得安装ssl模块
上传ssl证书到服务器/usr/local/nginx/ssl/xxx.pfx
生成证书crt可key
openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -clcerts -nokeys -out /usr/local/nginx/ssl/xxx.crt
openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -nocerts -nodes -out /usr/local/nginx/ssl/xxx.rsa验证证书正确性
openssl s_server -www -accept 443 -cert /usr/local/nginx/ssl/xxx.crt -key /usr/local/nginx/ssl/xxx.rsa配置nginx
server {
listen 443;
# listen 443 ssl; # 新写法
server_name localhost;
ssl on;
ssl_certificate /usr/local/nginx/ssl/xxx.crt;
ssl_certificate_key /usr/local/nginx/ssl/xxx.rsa;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_protocols TLSv1.2 TLSv1.1 推荐这种写法。上面的写法已过时!
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location ~ /api/(.*) {
proxy_redirect http:// https://; # 不写这个,tomcat的重定向 会给你重定向到 http!!切记 用这个,不用 off
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://serverAPI;
}
}