Nginx中将Http升级为Https
其中443的为http升级为https,样例中还有反向代理,将http的端口映射为https;
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
gzip on;
gzip_min_length 1k;
gzip_buffers 4 16k;
gzip_http_version 1.1;
gzip_comp_level 2;
gzip_types gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_proxied any;
server {
listen 443 ssl;
server_name xxx.xxx.com;
# SSL证书和私钥的路径
ssl_certificate /root/nginx/conf/key/xxx.xxx.com.pem;
ssl_certificate_key /root/nginx/conf/key/xxx.xxx.com.key;
# 选择强制使用最新的TLS协议版本
ssl_protocols TLSv1.2 TLSv1.3;
# 允许服务器与客户端之间的完全加密通信
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# 启用HSTS(HTTP Strict Transport Security)以增加安全性
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 配置SSL会话缓存以提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
root /usr/local/soft/dist;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
location /admin-api/ {
proxy_pass https://xxx.xxx.com:58080/admin-api/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /app-api/ {
proxy_pass https://xxx.xxx.com:58080/app-api/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
#将http端口映射转发成https
server {
listen 58080 ssl;
server_name xxx.xxx.com;
# SSL证书和私钥的路径
ssl_certificate /root/nginx/conf/key/xxx.xxx.com.pem;
ssl_certificate_key /root/nginx/conf/key/xxx.xxx.com.key;
# 选择强制使用最新的TLS协议版本
ssl_protocols TLSv1.2 TLSv1.3;
# 允许服务器与客户端之间的完全加密通信
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# 启用HSTS(HTTP Strict Transport Security)以增加安全性
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 配置SSL会话缓存以提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
proxy_pass http://172.28.141.12:48080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
server {
listen 8998 ssl;
server_name xxx.xxx.com;
# SSL证书和私钥的路径
ssl_certificate /root/nginx/conf/key/xxx.xxx.com.pem;
ssl_certificate_key /root/nginx/conf/key/xxx.xxx.com.key;
# 选择强制使用最新的TLS协议版本
ssl_protocols TLSv1.2 TLSv1.3;
# 允许服务器与客户端之间的完全加密通信
ssl_prefer_server_ciphers off;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
# 启用HSTS(HTTP Strict Transport Security)以增加安全性
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# 配置SSL会话缓存以提高性能
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
root /usr/local/soft/h5;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
}
}