目录
前言
本文基于Windows环境与nginx1.17版本。
除了安装差异,配置文件与Linux一致。
这里不讨论为什么要将Nginx放在Windows而不是Linux上,没有最好,只有最适合。
只介绍Nginx在windows的配置。
零、Nginx基本操作
#检查配置文件 nginx -t
#重新加载配置 nginx -s reload
一、配置https
环境:Windows2012R2
1.安装nginx
安装过程略,附下载地址。
2.安装OpenSSL
下载&安装
过程略
附下载地址。
Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
配置环境变量
变量名:OPENSSL_HOME
具体路径根据情况配置。
将%OPENSSL_HOME%\bin加入至PATH中。
3.生成证书
创建私钥
D:\test>openssl genrsa -des3 -out demo.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
....................+++++
......................................+++++
e is 65537 (0x010001)
Enter pass phrase for demo.key:
Verifying - Enter pass phrase for demo.key:
创建csr证书
D:\test>openssl req -new -key demo.key -out demo.csr
Enter pass phrase for demo.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Fengtai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ora
Organizational Unit Name (eg, section) []:ora
Common Name (e.g. server FQDN or YOUR name) []:yourname
Email Address []:yourname@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
去除密码
取消掉key中的密码,需要输入demo.key设置的密码
D:\test>openssl rsa -in demo.key -out demo.key
Enter pass phrase for demo.key:
writing RSA key
如果保留该密码,在检测nginx配置文件和启动nginx时,需要再次输入秘钥文件的密码,比较不便。
D:\PUHT\Service\nginx-1.20.1>nginx -t
Enter PEM pass phrase:
nginx: the configuration file D:\PUHT\Service\nginx-1.20.1/conf/nginx.conf syntax is ok
nginx: configuration file D:\PUHT\Service\nginx-1.20.1/conf/nginx.conf test is successful
生成证书
D:\test>openssl x509 -req -days 365 -in demo.csr -signkey demo.key -out demo.crt
Signature ok
subject=C = CN, ST = Beijing, L = Fengtai, O = ora, OU = ora, CN = yourname, emailAddress = yourname@qq.com
Getting Private key
完成后,会在目录下生成3个文件。
demo.key
demo.csr
demo.crt
证书生成完毕。
3.配置nginx使用https协议
在配置文件server 节点下,增加或修改如下内容。
server {
#后边的http2是指http2.0,与本次配置https无关。
listen 443 ssl http2;
ssl_certificate D:/nginx-1.17.7/conf/ssl_key/demo.crt;
ssl_certificate_key D:/nginx-1.17.7/conf/ssl_key/demo.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 4h;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#略
4.配置将端口跳转至https协议
这里的server与上述的server是平级关系。
server {
listen 80;
#将请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
}
使用80端口访问是,会直接跳转至443端口。
配置http2.0
nginx 配置 http2很简单,只需在监听端口后增加http2即可。
如下
listen 443 ssl http2;
如何验证:
使用 chrome,打开开发者工具,Network,在Name或其他列点击右键,勾选Protocol
刷新页面即可看到。
配置反向代理
location /yourproject/ {
proxy_pass http://192.168.129.45:7990;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
}
nginx会将访问至yourproject的请求,代理到http://192.168.129.45:7990。
配置默认项目
如果反向代理了多个项目,但是希望用户默认访问其中一个,可在server节点下增加如下配置。
index /yourproject/ ;
完整配置文件
worker_processes 1;
events {
worker_connections 5000;
}
http {
include mime.types;
client_max_body_size 500m;
# default_type application/octet-stream;
# sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl http2;
ssl_certificate D:/nginx-1.17.7/conf/ssl_key/demo.crt;
ssl_certificate_key D:/nginx-1.17.7/conf/ssl_key/demo.key;
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 4h;ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
server_tokens off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
index /p1/ ;
location /p1/ {
proxy_pass http://192.168.129.45:7990;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
}
location /p2/ {
proxy_pass http://192.168.129.45:7950;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
}
location /p3/ {
proxy_pass http://192.168.129.45:7930;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
}
location /h5/ {
proxy_pass http://192.168.129.45:8000;
# add_header Content-Type "text/plain;charset=utf-8";
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
# add_header 'Access-Control-Allow-Methods' 'GET, POST';
}
#帮组文档
location /docs/ {
proxy_pass http://192.168.129.45:8081;
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
}
}
server {
listen 80;
#将请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
}
}
参考文档
nginx配置
Windows系统配置nginx实现https访问_sunroyfcb的博客-CSDN博客
https://www.jianshu.com/p/3ed3f7f0c6fa
nginx 之 https 证书配置 - Crazymagic - 博客园
HTTP2
OpenSSL
Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions