user root;
worker_processes 2;
error_log logs/error.log debug; # 日志级别
#pid logs/nginx.pid;
events {
use epoll;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr $connection/$connection_requests $remote_user [$time_local] $request_length "$request" $status '
'"$request_time/$upstream_response_time" "$body_bytes_sent/$content_length" "$http_x_forwarded_for" $upstream_addr '
'"$http_referer" "$http_user_agent"';
access_log logs/access.log main;
sendfile on;
keepalive_timeout 600;
server {
listen 80;
server_name localhost;
location / {
root html;
index index.html index.htm;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
listen 443;
# server_name localhost;
server_name www.zzzyyy.com;
# access_log /usr/local/nginx/logs/443_access.log main;
access_log logs/443_access.log main ;
aio threads;
ssl on;
# ssl_certificate /usr/local/nginx/certpath/rsa-crt/rsa-yyy.crt;
# ssl_certificate_key /usr/local/nginx/certpath/rsa-crt/rsa-yyy.key;
ssl_certificate /usr/local/nginx/certpath/ecc-crt/ecc-yyy.crt;
ssl_certificate_key /usr/local/nginx/certpath/ecc-crt/ecc-yyy.key;
ssl_client_certificate /usr/local/nginx/certpath/ecc-crt/root-ca.crt;
ssl_dhparam /usr/local/nginx/certpath/ecc-crt/dhparam.pem;
ssl_verify_client on;
ssl_session_cache shared:SSL:250m;
ssl_session_timeout 30m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:!aNULL:!MD5:!RC4;
# ssl_ciphers EECDH+ECDSA+AESGCM:!aNULL:!MD5:!RC4;
# ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';
# ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
客户端需要把客户证书打包导入浏览器
不然无法访问
# 将文本格式的证书转换成可以导入浏览器的证书
openssl pkcs12 -export -clcerts -in ./id_ios_sdk.crt -inkey ./id_ios_sdk.key -out id_ios_sdk.p12