nginx反向代理配置https

小程序上线需要https

证书上传到nginx服务器

证书下发，将证书上传到服务器nginx conf路径下，创建sslkey文件夹存放所绑域名的证书和私钥

/usr/local/nginx/conf/sslkey

修改nginx配置文件

vim /usr/local/nginx/cong/nginx.conf

#user  nobody;
worker_processes  4;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

events {
    worker_connections  1000000;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    client_header_buffer_size 100m;
    client_max_body_size 100m;
    proxy_connect_timeout 10m;
    proxy_read_timeout 10m;
    proxy_send_timeout 10m;
    underscores_in_headers on;
    #open_file_cache_valid 30s;
    #expires 60m;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;
	
	upstream XXXX.com {   
		server 10.0.18.162:8066 weight=1;
		server 10.0.18.163:8066 weight=1;
		server 10.0.18.164:8066 weight=1;
		server 10.0.18.196:8066 weight=2;
		server 10.0.18.197:8066 weight=2;
		#server 10.0.18.162:8066 weight=1 max_fails=3 fail_timeout=30s;
	}

	upstream zuul.com {   
		server 10.0.18.165:9200;
		server 10.0.18.166:9200;
		server 10.0.18.167:9200;
		server 10.0.18.168:9200;
		server 10.0.18.169:9200;
		server 10.0.18.170:9200;
		server 10.0.18.171:9200;
		server 10.0.18.172:9200;
		server 10.0.18.173:9200;
		server 10.0.18.174:9200;
		server 10.0.18.175:9200;
		server 10.0.18.176:9200;
		#server 10.0.18.165:9200 max_fails=3 fail_timeout=30s;
	}

    server {
        listen       80;
        server_name  localhost;
	    rewrite ^(.*)$ https://$host$1 permanent;	#http永久跳转https

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

	location / {
           	proxy_pass          http://XXXX.com;
		    proxy_set_header	X-real-ip $remote_addr;
		    proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
	    	index               index.html index.htm;
        }

        error_page   404           /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                                 root   html;
        }
    }
        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        #location ~ \.php$ {
        #    root           html;
        #    fastcgi_pass   127.0.0.1:9000;
        #    fastcgi_index  index.php;
        #    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;
        #    include        fastcgi_params;
        #}

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}


    # another virtual host using mix of IP-, name-, and port-based configuration
    #
    #server {
    #    listen       8000;
    #    listen       somename:8080;
    #    server_name  somename  alias  another.alias;

    #    location / {
    #        root   html;
    #        index  index.html index.htm;
    #    }
    #}


    #HTTPS server
    
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      sslkey/xxxxxx.crt;
        ssl_certificate_key  sslkey/xxxxxx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
        ssl_ciphers  AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
        ssl_prefer_server_ciphers  on;

	location / {
        proxy_pass		http://xxxx.com;
	    proxy_set_header	X-real-ip $remote_addr;
	    proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
        }

        location /ngx_status {							#开启nginx监控页面
                              stub_status on;
        }

        location /swagger-ui.html {
        			    deny all;
        }

        error_page   404          /404.html;

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
                                root   html;  
        }
		
	server {
        listen       9200 ssl;
        server_name  localhost;
		
	    ssl_certificate      sslkey/xxxxxx.crt;		#证书的相对路径
        ssl_certificate_key  sslkey/xxxxxx.key;		#私钥的相对路径

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
        ssl_ciphers  AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
        ssl_prefer_server_ciphers  on;
		
    location / {
        proxy_pass			http://xxxx.com;
		proxy_set_header	X-real-ip $remote_addr;
		proxy_set_header	X-Forwarded-For $proxy_add_x_forwarded_for;
		}

     }
   }
}

配置文件仅供参考，需根据实际项目调整

重启nginx

/usr/local/nginx/sbin/nginx -s reload

验证登录