Nginx配置https证书，前后端分离

一、前后端分离后需要使用ssl证书

        1、配置文件

#user  nobody;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;



    server {
        listen       80;
        server_name  localhost;
	    rewrite ^(.*) https://$host:8081$1 permanent;#后端强制跳转https

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   html;
            index  index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }



    # HTTPS server
    # 流程：对外暴露8081端口并且是ssl
    # 当访问 / 根目录时 跳转到内部访问http的前端
    # 当访问 /controller(前端请求时自己加的，在跳转时通过rewrite去除) 跳转到内部访问的后端
    # 当访问 /api 目录时代表是对外的接口
    server {
        listen 8081 ssl;
        server_name  localhost;

        ssl_certificate      /usr/local/nginx/server.crt; # 证书文件
        ssl_certificate_key  /usr/local/nginx/server.key; # 私钥

        #ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
	    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        #ssl_ciphers  HIGH:!aNULL:!MD5;
	    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers  on;

        location / {
            #root   html;
            #index  index.html index.htm;
	        proxy_pass http://127.0.0.1:8080;
        }
	    location ~/management/ {
	        proxy_pass http://127.0.0.1:8080;
	    }
	    location ~/controller/ {
	        rewrite ^/controller/(.*)$ /$1 break;
	        proxy_pass http://127.0.0.1:8002;
	    }
	    location ~/api/ {
	        proxy_pass http://127.0.0.1:8002;
	    }
    }

}

2、流程就是对外暴露nginx的SSL端口，nginx代理前端和后端的访问

3、生成https所需要的证书

先用jdk的 keytool 生成 keytool 证书 和客户端证书p12

使用openssl生成crt、key和der

# 证书文件
openssl pkcs12 -in client.p12 -nokeys -out server.crt
# 生产私钥
openssl pkcs12 -in client.p12 -nocerts -nodes -out server.key
openssl x509 -in server.crt -out server.cer -outform der


https://www.cnblogs.com/ghjbk/p/6743457.html

4、报错

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in *****

当nginx没开启ssl模块时就会报这个错

1、进入安装目录
    cd /usr/local/nginx-1.20.1/

2、查看先走的nginx。V大写
    /usr/local/nginx/sbin/nginx -V
    没安装的时候是这样
        nginx version: nginx/1.20.1
        built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
        configure arguments:
    安装后是这样
        nginx version: nginx/1.20.1
        built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
        built with OpenSSL 1.0.2k-fips  26 Jan 2017
        TLS SNI support enabled
        configure arguments: --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

3、在安装目录下执行
    ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

4、执行make 但不要install，不然就直接覆盖安装了

5、备份原先的nginx目录

6、把新编译的nginx换过去

7、再次执行/usr/local/nginx/sbin/nginx -V看一下





扩展
SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;