昨天老大让我去配置ssl,证书申请下来了,开始配置,首先https用的是443端口,需要在防火墙中开启443端口,然后在nginx.conf中配置,例如下:如果需要双向认证,需要客户端ca证书,否则就不配置ca的部分,例如:
server {
listen 443 ssl;
server_name localhost;
ssl on;
ssl_certificate /usr/local/nginx/sslKey/域名.cer;
ssl_certificate_key /usr/local/nginx/sslKey/域名.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
#root /mnt/omega/image ;
#index index.html index.htm;
proxy_pass http://localhost:8070;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3000s;
proxy_send_timeout 3000s;
proxy_read_timeout 3000s;
client_max_body_size 1000m;
}
}
如果开启客户端双向认证:
server {
listen 443 ssl;
server_name 域名;
ssl on;
ssl_certificate /usr/local/nginx/sslKey/域名.cer;
ssl_certificate_key /usr/local/nginx/sslKey/域名.key;
ssl_client_certificate /usr/local/nginx/sslKey/ca.crt; #ca证书
ssl_session_timeout 5m;
ssl_verify_client on; #开户客户端证书验证
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
#root /mnt/omega/image ;
#index index.html index.htm;
proxy_pass http://localhost:8070;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 3000s;
proxy_send_timeout 3000s;
proxy_read_timeout 3000s;
client_max_body_size 1000m;
}
}
这样就好了,然后./nginx/sbin/nginx -s stop 停止, ‘./nginx/sbin/nginx ’启动,然后就好了。