从安全角度考虑,公司需要将一个网站从http普通模式升级为https模式,阿里云提供了免费的SSL证书,故这里根据阿里云的SSL证书来做升级.
1.免费证书申请,配置域名
1)SSL 0元购买
2)填写信息,SSL证书与域名绑定
填写域名及个人信息,完成证书申请,会得到key码.需要登录域名购买平台配置txt类型,将key码输入,加入到DNS解析,解析生效后,验证成功,至此 SSL证书与域名绑定成功.
3)获取证书的.pem,.key文件,项目服务器nginx配置
根据上述步骤,验证成功后,可以根据域名对应的服务器的项目运行容器的不同选择对应的证书文件,我这里是nginx运行的.所以选择nginx的证书文件,下载下来.
服务器nginx.conf配置文件同级路径下新建cert文件夹,将nginx的证书文件放置到cert文件夹里面.
在nginx.conf里面配置https的端口监听443,配置文件如下,重启nginx,完成http网站到https的升级.
#nginx的证书文件,放置在nginx.conf路径下
#nginx.conf配置
[root@localhost nginx]# cat nginx.conf
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
server_tokens off;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
proxy_intercept_errors on;
fastcgi_intercept_errors on;
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
#include /etc/nginx/conf.d/*.conf;
server{
listen 443 ssl default_server ; #监听端口
server_name www.yuming.com; #域名绑定
autoindex off;
keepalive_requests 120; #单连接请求上限次数。
client_max_body_size 100M;
client_body_buffer_size 128k;
#access_log /var/log/nginx/web/access.log;
#error_log /var/log/nginx/web/error.log;
ssl_certificate cert/***.pem; #***需要改为实际证书文件名
ssl_certificate_key cert/***.key; #***需要改为实际证书文件名
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
add_header Content-Security-Policy upgrade-insecure-requests;
root html;
index index.html index.htm;
proxy_pass http://localhost:8080;
#proxy_redirect off;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
error_page 502 /502.html;
# client_max_body_size 5m;
# client_body_buffer_size 128k;
# proxy_connect_timeout 10;
# proxy_send_timeout 90;
# proxy_read_timeout 90;
# proxy_buffer_size 4k;
# proxy_buffers 4 32k;
# proxy_busy_buffers_size 64k;
# proxy_temp_file_write_size 64k;
# expires 7d;
}
#静态资源加载
location /static{
alias /usr/share/nginx/static;
}
#自定义错误页面
location /502.html{
alias /usr/share/nginx/index/system.html;
}
}
server{
listen 80;
server_name www.whwomen.org.cn;
rewrite ^(.*)$ https://${server_name}$1 permanent;
#其实应该配置到这里就可以了,将80端口的访问转发到443端口
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
add_header Content-Security-Policy upgrade-insecure-requests;
proxy_pass http://localhost:8080;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
}
#下面这种方式也能实现http的80端口转发到https的443端口
#listen 80
#listen 443 ssl;
#server_name whwomen.org.cn;
#return 301 https://whwomen.org.cn$request_uri;
}
}