Nginx 开启 ssl 以支持 HTTPS

[!IMPORTANT]

在下文中，将采用如下定义。

HTTP端口： 80

HTTPS端口： 443

服务地址： www.0ll1.com，也可以是 IP

1 生成本地证书

1. 生成一个 RSA 私钥：server.key

   openssl genrsa -out server.key 2048
   

2. 生成一个自签名的 X.509 证书：server.crt

   openssl req -new -x509 -days 8760 -key server.key -out server.crt -subj "/C=CN/O=Institute of Information Engineering, CAS/CN=www.0ll1.com"
   

2 开启 ssl 以支持 HTTPS

server {listen 443 ssl;server_name www.0ll1.com;ssl_certificate /usr/local/nginx/cert/server.crt;ssl_certificate_key /usr/local/nginx/cert/server.key;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;ssl_prefer_server_ciphers on;
}

3 将 https 的请求转发给 http

server {location / {proxy_set_header Host $host;proxy_redirect off;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 60;proxy_read_timeout 600;proxy_send_timeout 600;proxy_pass http://www.0ll1.com:80;}
}

[!NOTE]

只需要将 proxy_pass 修改为 http 服务的 url 即可。

最终的 nginx.conf 如下

server {listen 443 ssl;server_name www.0ll1.com;ssl_certificate /usr/local/nginx/cert/server.crt;ssl_certificate_key /usr/local/nginx/cert/server.key;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;ssl_prefer_server_ciphers on;location / {proxy_set_header Host $host;proxy_redirect off;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 60;proxy_read_timeout 600;proxy_send_timeout 600;proxy_pass http://www.0ll1.com:80;}
}