Windows环境Nginx配置https协议 http2.0 反向代理 默认项目

目录

前言

零、Nginx基本操作

一、配置https

1.安装nginx

2.安装OpenSSL

下载&安装

配置环境变量

3.生成证书

创建私钥

创建csr证书

去除密码

生成证书

3.配置nginx使用https协议

4.配置将端口跳转至https协议

配置http2.0

配置反向代理

配置默认项目

完整配置文件

参考文档

---

前言

本文基于Windows环境与nginx1.17版本。

除了安装差异，配置文件与Linux一致。

这里不讨论为什么要将Nginx放在Windows而不是Linux上，没有最好，只有最适合。

只介绍Nginx在windows的配置。

零、Nginx基本操作

#检查配置文件 nginx -t
#重新加载配置 nginx -s reload

一、配置https

环境：Windows2012R2

1.安装nginx

安装过程略，附下载地址。

nginx: download

2.安装OpenSSL

下载&安装

过程略

附下载地址。

Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

配置环境变量

变量名：OPENSSL_HOME

具体路径根据情况配置。

将%OPENSSL_HOME%\bin加入至PATH中。

3.生成证书

创建私钥

D:\test>openssl genrsa -des3 -out demo.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
....................+++++
......................................+++++
e is 65537 (0x010001)
Enter pass phrase for demo.key:
Verifying - Enter pass phrase for demo.key:

创建csr证书

D:\test>openssl req -new -key demo.key -out demo.csr
Enter pass phrase for demo.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Fengtai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ora
Organizational Unit Name (eg, section) []:ora
Common Name (e.g. server FQDN or YOUR name) []:yourname
Email Address []:yourname@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:

去除密码

取消掉key中的密码，需要输入demo.key设置的密码

D:\test>openssl rsa -in demo.key -out demo.key
Enter pass phrase for demo.key:
writing RSA key

如果保留该密码，在检测nginx配置文件和启动nginx时，需要再次输入秘钥文件的密码，比较不便。

D:\PUHT\Service\nginx-1.20.1>nginx -t
Enter PEM pass phrase:
nginx: the configuration file D:\PUHT\Service\nginx-1.20.1/conf/nginx.conf syntax is ok
nginx: configuration file D:\PUHT\Service\nginx-1.20.1/conf/nginx.conf test is successful

生成证书

D:\test>openssl x509 -req -days 365 -in demo.csr -signkey demo.key -out demo.crt
Signature ok
subject=C = CN, ST = Beijing, L = Fengtai, O = ora, OU = ora, CN = yourname, emailAddress = yourname@qq.com
Getting Private key

完成后，会在目录下生成3个文件。

demo.key

demo.csr

demo.crt

证书生成完毕。

3.配置nginx使用https协议

在配置文件server 节点下，增加或修改如下内容。

    server {
            #后边的http2是指http2.0，与本次配置https无关。
		listen 443 ssl http2;
		
		
		ssl_certificate  D:/nginx-1.17.7/conf/ssl_key/demo.crt;
		ssl_certificate_key D:/nginx-1.17.7/conf/ssl_key/demo.key;
		
		ssl_session_cache    shared:SSL:50m;
		ssl_session_timeout  4h;
    	ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers  on;
  #略

4.配置将端口跳转至https协议

这里的server与上述的server是平级关系。

	server {
        listen 80;
        #将请求转成https
        rewrite ^(.*)$ https://$host$1 permanent;
	}

使用80端口访问是，会直接跳转至443端口。

配置http2.0

nginx 配置 http2很简单，只需在监听端口后增加http2即可。

如下

listen 443 ssl http2;

如何验证:

使用 chrome，打开开发者工具，Network,在Name或其他列点击右键，勾选Protocol

刷新页面即可看到。

配置反向代理

		location /yourproject/ {
		    proxy_pass http://192.168.129.45:7990;
		    add_header 'Access-Control-Allow-Origin' '*';
		    add_header 'Access-Control-Allow-Credentials' 'true';
		}

nginx会将访问至yourproject的请求，代理到http://192.168.129.45:7990。

配置默认项目

如果反向代理了多个项目，但是希望用户默认访问其中一个，可在server节点下增加如下配置。

index /yourproject/ ;

完整配置文件

worker_processes  1;

events {
    worker_connections  5000;
}

http {
    include       mime.types;
    client_max_body_size 500m;
    # default_type  application/octet-stream;
    # sendfile        on;
    keepalive_timeout  65;
    server {
		listen       443 ssl http2;
		
		
		ssl_certificate  D:/nginx-1.17.7/conf/ssl_key/demo.crt;
		ssl_certificate_key D:/nginx-1.17.7/conf/ssl_key/demo.key;
		
		ssl_session_cache    shared:SSL:50m;
		ssl_session_timeout  4h;ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers  on;
		
		server_tokens off;
		
			
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;		
			
		index /p1/ ;
		
		location /p1/ {
		    proxy_pass http://192.168.129.45:7990;
		    add_header 'Access-Control-Allow-Origin' '*';
		    add_header 'Access-Control-Allow-Credentials' 'true';
		}
        
		
		location /p2/ {
            proxy_pass http://192.168.129.45:7950;
            add_header 'Access-Control-Allow-Origin' '*';
            add_header 'Access-Control-Allow-Credentials' 'true';
        }

		
		location /p3/ {
		    proxy_pass http://192.168.129.45:7930;
		    add_header 'Access-Control-Allow-Origin' '*';
		    add_header 'Access-Control-Allow-Credentials' 'true';
		}	
		
		location /h5/ {
		    proxy_pass http://192.168.129.45:8000;
			# add_header Content-Type "text/plain;charset=utf-8";
		    add_header 'Access-Control-Allow-Origin' '*';
		    add_header 'Access-Control-Allow-Credentials' 'true';
		    # add_header 'Access-Control-Allow-Methods' 'GET, POST';
		}	
		
		#帮组文档
		location /docs/ {
		    proxy_pass http://192.168.129.45:8081;
		    add_header 'Access-Control-Allow-Origin' '*';
		    add_header 'Access-Control-Allow-Credentials' 'true';
		}	


    }
		
	server {
    listen 80;
        #将请求转成https
        rewrite ^(.*)$ https://$host$1 permanent;
	}
}

参考文档

nginx配置

Windows系统配置nginx实现https访问_sunroyfcb的博客-CSDN博客

https://www.jianshu.com/p/3ed3f7f0c6fa

Configuration — NGINX Unit

nginx 之 https 证书配置 - Crazymagic - 博客园

HTTP2

HTTP2 详解 - 简书

HTTTP 2.0原理解析 | JouyPub

OpenSSL

Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions

OpenSSL 中文手册 | OpenSSL 中文网