Nginx配置HTTPS

获取SSL证书

• 方法一：购买SSL证书
• 方法二：申请Let's Encrypt免费SSL证书
• 方法二：自建CA，颁发SSL证书

配置Nginx

• 只用HTTPS

server {
        listen 443 ssl;
        server_name your.domain.com;

        ssl_certificate your.domain.com.cert;
        ssl_certificate_key your.domain.com.key;
        ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
        ssl_prefer_server_ciphers on;
        ......
}

• HTTP和HTTPS共存

server {
        listen 80;
        listen 443 ssl;
        server_name your.domain.com;

        ssl_certificate your.domain.com.cert;
        ssl_certificate_key your.domain.com.key;
        ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
        ssl_prefer_server_ciphers on;
        ......
}

• HTTP跳转到HTTPS
• 方法一：重定向（独立server）

server {
        listen 80;
        server_name your.domain.com;

        return 301 https://$host$request_uri;
}

server {
        listen 443 ssl;
        server_name your.domain.com;

        ssl_certificate your.domain.com.cert;
        ssl_certificate_key your.domain.com.key;
        ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
        ssl_prefer_server_ciphers on;
        ......
}

• 方法二：重定向（同一server）

server {
        listen 80;
        listen 443 ssl;
        server_name your.domain.com;

        ssl_certificate your.domain.com.cert;
        ssl_certificate_key your.domain.com.key;
        ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
        ssl_prefer_server_ciphers on;

        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        }
        ......
}

• 方法三：HSTS

server {
        listen 80;
        listen 443 ssl;
        server_name agent.wusong.com;

        add_header Strict-Transport-Security "max-age=86400" always;

        ssl_certificate /etc/nginx/ssl/agent.wusong.com.cert;
        ssl_certificate_key /etc/nginx/ssl/agent.wusong.com.key;
        ssl_ciphers HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM;
        ssl_prefer_server_ciphers on;
        ......
}