证书配置 https
本文档以CentOS 7、Nginx 1.15.6为例
https://help.aliyun.com/document_detail/98728.html?spm=5176.2020520163.0.0.132b56a7xf8IJ8
# 以下属性中以ssl开头的属性代表与证书配置有关,其他属性请根据自己的需要进行配置。
server {
listen 443 ssl; #SSL协议访问端口号为443。此处如未添加ssl,可能会造成Nginx无法启动。
server_name localhost; #将localhost修改为您证书绑定的域名,例如:www.example.com。
root html;
index index.html index.htm;
ssl_certificate cert/domain name.pem; #将domain name.pem替换成您证书的文件名。
ssl_certificate_key cert/domain name.key; #将domain name.key替换成您证书的密钥文件名。
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。
ssl_prefer_server_ciphers on;
location / {
root html; #站点目录。
index index.html index.htm;
}
}
http 请求跳转到 https
server {
listen 80;
server_name localhost; # 将localhost修改为您证书绑定的域名,例如:www.example.com。
rewrite ^(.*)$ https://$host$1 permanent; # 将所有http请求通过rewrite重定向到https。
location / {
index index.html index.htm;
}
}
支持反向代理的一份https配置参考
[root@nexus3 conf.d]# cat docker_images.conf
upstream nexus_docker_get {
server 127.0.0.1:8084;
}
upstream nexus_docker_put {
server 127.0.0.1:8082;
}
server {
listen 443 ssl;
server_name test.as4k.com;
ssl_certificate /nexus3/cert/test.com.crt;
ssl_certificate_key /nexus3/cert/test.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
client_max_body_size 0;
chunked_transfer_encoding on;
set $upstream "nexus_docker_put";
if ( $request_method ~* 'GET') {
set $upstream "nexus_docker_get";
}
if ($request_uri ~ '/search') {
set $upstream "nexus_docker_put";
}
index index.html index.htm index.php;
location / {
proxy_pass http://$upstream;
proxy_set_header Host $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}
配置K8S Dashboard证书参考
[root@dpk1 conf.d]# cat /etc/nginx/conf.d/k8s.as4k.com.conf
server {
listen 443 ssl;
server_name k8s.as4k.com;
root html;
index index.html index.htm;
ssl_certificate /etc/nginx/cert/as4k.com.crt;
ssl_certificate_key /etc/nginx/cert/as4k.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass https://127.0.0.1:30000;
proxy_set_header Host $host;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
proxy_set_header X-Real-IP $remote_addr;
proxy_buffering off;
proxy_request_buffering off;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
}
}
server {
listen 80;
server_name k8s.as4k.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
别忘记在相应的域名管理平台把域名解析到对应的公网IP地址上去
xtest.as4k.top 证书记录
bogon:~ ndps$ cat /Users/ndps/Downloads/3797235_xtest.as4k.top_nginx/3797235_xtest.as4k.top.key
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAtMoQdbLDcgmRNYcCf8pfZ/Dp73oJCdAmIsCkdgxGSqqgRrxa
5JUsB+r5kYtV3qCJ+fl+LI7A5x7tIziNf8N3qxjp70iInMzoA5RvRdaHZJ+9JiFH
mbhcQJLFrTcNYWG9okIEKLPTCz8cIJDM9OuMGuTJMsqVQkBAEAHZwGqokoLByzej
SzKAv/bEYPC40/406/pYZh3CS1TydUo3VV8k+0PVKRR5aq3fjgh4av3608+b8yKS
k0vaqZfFE2Em1x4A6An8qMTOmb5EjZ9ybLIkzXUFJUplRNW4Mg6EzOdMkRgWt+60
A/o14576zac8krltSj9Ym71f0ZsTSvzz6hmJRQIDAQABAoIBADs7eOkXCLH0MH85
HLiBtYB4jizH7u4oJFZ+h2Ol4eHUxW5nh+Acf7CYa+wjmp62On6MH6q5mroeh9Ni
U/noMOz93KdpPFkjSWDi4RIgl3uAWpiDjtHudUsyy1FVGC0vuNHQj0xGnn6wzqZc
ysnz4pNtIf5iIUTziAm2kYFZcKGPaGmEBbsqffSP/sPh3Kp0CZ07xZHU/wSoWqHc
mZuTFL7Dy8nWF+PNAS1usW/gh06c7Ig/AbT9HrrugtYtyMFJ3XXxKfrYOP/bnz8o
FzAwKF3iABbgVyIHBOhk8Xwk69YffExjWCdnVGVKUaFVU6aYb4U/NnUsvdpZ4TC9
wDr3+oECgYEA5afEFJxIkaqShe2jVKml9oa5w69D0nua/MvTQDfrwvMWmGJ7lvDy
8yELoV3b+1+ds98pH+QDEYusQlufxvvGPeWf6tVlWXBniYuZsX8FNlUAt9G5WmOG
WV+lt6Y3Jzu6LLAymoVvyY1hFR9eOIUyEzcykkItVMrlUPr/PrPAuvcCgYEAyYdC
7CpVORwXtaETxnNlvTxdiwOaBaI81FkRiPLzYQ5etY4cG2UR2cwtsCc+VeDgs13a
C2+VnhmQvEV7kaf/Q5WBuY0lnI1uxuWz14e42PAgxfjCeRx3upWhVt3unrdIVFUw
Bw2d7kjnZn7kzrBLMIQvi1pJndOvU4uFU6FD8qMCgYBRX+7UtsPoCZ69ogS73RkX
j4mHUzUfAflbFgYWvTnm7CfXex370AjmKZFrbkyid7DzqWFzEWIc93bkVH77DP+j
sxfFKDQvSusFC9g70pxQMjJ87+1Tn+xdAs0/k7/7QOipKQ3lPt7rdhMuXt0N/fRO
ZsKenKBfaT10QlvrJdpm5QKBgAmqMfxvf0zQ2xY71l3zFNMBfR74mj9g63fnmZ6u
wBtMfCBK43Aw5a1DTIGhMC0gLsaLXrSjslI1uao9ztJKc0SDfAgxC7e5VLG3PGu+
t4+33GqCJpl2Uwugt28aD6KO+aoJt9buwT83Qdm5hjGfZMu72yfcuaEXENZ533gG
SOLvAoGARIB4hGOWlXwGILgZ8kv9gb0jjtdFqAlsUfRLMQ6iZGQscktJGboEEpfF
18ACLspxyXFHhQFtqZwINYTNx8tUm277lJ7/Jp3yhesf9fZxLeeS41J0ZVkmtBxI
ze+7IaDwJzvYhPQ+uArunSoeB08EV3H/wYFVaWW9sS7CkpWFZZY=
-----END RSA PRIVATE KEY-----
bogon:~ ndps$ cat /Users/ndps/Downloads/3797235_xtest.as4k.top_nginx/3797235_xtest.as4k.top.pem
-----BEGIN CERTIFICATE-----
MIIFhTCCBG2gAwIBAgIQBjJIXC1E336tqWHS9/RraTANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjAwNDIwMDAwMDAwWhcNMjEwNDIwMTIwMDAwWjAZ
MRcwFQYDVQQDEw54dGVzdC5hczRrLnRvcDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBALTKEHWyw3IJkTWHAn/KX2fw6e96CQnQJiLApHYMRkqqoEa8WuSV
LAfq+ZGLVd6gifn5fiyOwOce7SM4jX/Dd6sY6e9IiJzM6AOUb0XWh2SfvSYhR5m4
XECSxa03DWFhvaJCBCiz0ws/HCCQzPTrjBrkyTLKlUJAQBAB2cBqqJKCwcs3o0sy
gL/2xGDwuNP+NOv6WGYdwktU8nVKN1VfJPtD1SkUeWqt344IeGr9+tPPm/MikpNL
2qmXxRNhJtceAOgJ/KjEzpm+RI2fcmyyJM11BSVKZUTVuDIOhMznTJEYFrfutAP6
NeOe+s2nPJK5bUo/WJu9X9GbE0r88+oZiUUCAwEAAaOCAnIwggJuMB8GA1UdIwQY
MBaAFFV0T7JyT/VgulDR1+ZRXJoBhxrXMB0GA1UdDgQWBBTu3hRsKYbzkwrtUf06
XrIWqCwyrTAZBgNVHREEEjAQgg54dGVzdC5hczRrLnRvcDAOBgNVHQ8BAf8EBAMC
BaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMEwGA1UdIARFMEMwNwYJ
YIZIAYb9bAECMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LmRpZ2ljZXJ0LmNv
bS9DUFMwCAYGZ4EMAQIBMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0
dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBKBggrBgEFBQcwAoY+aHR0cDovL2NhY2Vy
dHMuZGlnaWNlcnQuY29tL0VuY3J5cHRpb25FdmVyeXdoZXJlRFZUTFNDQS1HMS5j
cnQwCQYDVR0TBAIwADCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3APZclC/RdzAi
FFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABcZdaoi4AAAQDAEgwRgIhANGb6zSX
GYArav89ONLNNDfHgp7oJ8RRR5FE19ZYahBiAiEAwjJ0lkziXx3qBRNsFQyMGaiO
2RnXPd8DZpSm1NQlwZUAdQBc3EOS/uarRUSxXprUVuYQN/vV+kfcoXOUsl7m9scO
ygAAAXGXWqJdAAAEAwBGMEQCIFCiG38FtnN7/3Yty+6h58tyzly6R9y4aVCkN3LF
Lad6AiADInzu+U1wT1d5dYD/a+jIvOZIbzEfETh6YlFtmEDuejANBgkqhkiG9w0B
AQsFAAOCAQEAL2w8S/QWh1CxjkatZ3iR4qbSngTB2EIU8YffW10h+PYwKfWBsA2L
UQ57Nu1jpQ371T8q8ZW9w4R2d6A86Kysqk5or2/ZNrWsbaUr7+ilc8B8yx4DgQ75
29Ijr2RwJvVblmPtuJ7yicT/2gZKteeM/wnqeCVOHugW1wOL+qUZ6OuM6GnsxBD5
rypFV6ZBJWo8HXCOLuXnFBgrDPpDddN3Qd8X/o8d1plc4dTns/fCJol2X4GReQWC
u0XXNqZq/7DvTmk41ATgNCwfXxzhkTbJq/w+UdvLEm5yzST2sVxmsBj+Y2xRqpHY
Q7bRm1QRks2q5xBN8lTWFfwIRVno79T8Xw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0xNzExMjcxMjQ2MTBaFw0yNzExMjcxMjQ2MTBaMG4xCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xLTArBgNVBAMTJEVuY3J5cHRpb24gRXZlcnl3aGVyZSBEViBUTFMgQ0EgLSBH
MTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALPeP6wkab41dyQh6mKc
oHqt3jRIxW5MDvf9QyiOR7VfFwK656es0UFiIb74N9pRntzF1UgYzDGu3ppZVMdo
lbxhm6dWS9OK/lFehKNT0OYI9aqk6F+U7cA6jxSC+iDBPXwdF4rs3KRyp3aQn6pj
pp1yr7IB6Y4zv72Ee/PlZ/6rK6InC6WpK0nPVOYR7n9iDuPe1E4IxUMBH/T33+3h
yuH3dvfgiWUOUkjdpMbyxX+XNle5uEIiyBsi4IvbcTCh8ruifCIi5mDXkZrnMT8n
wfYCV6v6kDdXkbgGRLKsR4pucbJtbKqIkUGxuZI2t7pfewKRc5nWecvDBZf3+p1M
pA8CAwEAAaOCAU8wggFLMB0GA1UdDgQWBBRVdE+yck/1YLpQ0dfmUVyaAYca1zAf
BgNVHSMEGDAWgBQD3lA1VtFMu2bwo+IbG8OXsj3RVTAOBgNVHQ8BAf8EBAMCAYYw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMBIGA1UdEwEB/wQIMAYBAf8C
AQAwNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5kaWdp
Y2VydC5jb20wQgYDVR0fBDswOTA3oDWgM4YxaHR0cDovL2NybDMuZGlnaWNlcnQu
Y29tL0RpZ2lDZXJ0R2xvYmFsUm9vdENBLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG
/WwBAjAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MAgGBmeBDAECATANBgkqhkiG9w0BAQsFAAOCAQEAK3Gp6/aGq7aBZsxf/oQ+TD/B
SwW3AU4ETK+GQf2kFzYZkby5SFrHdPomunx2HBzViUchGoofGgg7gHW0W3MlQAXW
M0r5LUvStcr82QDWYNPaUy4taCQmyaJ+VB+6wxHstSigOlSNF2a6vg4rgexixeiV
4YSB03Yqp2t3TeZHM9ESfkus74nQyW7pRGezj+TC44xCagCQQOzzNmzEAP2SnCrJ
sNE2DpRVMnL8J6xBRdjmOsC3N6cQuKuRXbzByVBjCqAA8t1L0I+9wXJerLPyErjy
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----
更换证书内容需要重启下nginx