网站从Http升级为Https真实案例,SSL免费证书加密

从安全角度考虑,公司需要将一个网站从http普通模式升级为https模式,阿里云提供了免费的SSL证书,故这里根据阿里云的SSL证书来做升级.

 1.免费证书申请,配置域名

1)SSL 0元购买

2)填写信息,SSL证书与域名绑定

填写域名及个人信息,完成证书申请,会得到key码.需要登录域名购买平台配置txt类型,将key码输入,加入到DNS解析,解析生效后,验证成功,至此 SSL证书与域名绑定成功.

3)获取证书的.pem,.key文件,项目服务器nginx配置

根据上述步骤,验证成功后,可以根据域名对应的服务器的项目运行容器的不同选择对应的证书文件,我这里是nginx运行的.所以选择nginx的证书文件,下载下来.

服务器nginx.conf配置文件同级路径下新建cert文件夹,将nginx的证书文件放置到cert文件夹里面.

在nginx.conf里面配置https的端口监听443,配置文件如下,重启nginx,完成http网站到https的升级.

#nginx的证书文件,放置在nginx.conf路径下

#nginx.conf配置

[root@localhost nginx]# cat nginx.conf 

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    proxy_intercept_errors on;
    fastcgi_intercept_errors on;
    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    keepalive_timeout  65;

    #gzip  on;

   #include /etc/nginx/conf.d/*.conf;

    server{
      listen 443 ssl  default_server ;   #监听端口
      server_name www.yuming.com;   #域名绑定
      autoindex off;
      keepalive_requests 120; #单连接请求上限次数。
      client_max_body_size 100M;
      client_body_buffer_size 128k;
      #access_log /var/log/nginx/web/access.log;
      #error_log /var/log/nginx/web/error.log;

     ssl_certificate   cert/***.pem; #***需要改为实际证书文件名
     ssl_certificate_key  cert/***.key; #***需要改为实际证书文件名
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_prefer_server_ciphers on;
	
      location / {
            add_header Content-Security-Policy upgrade-insecure-requests;
            root html;
            index  index.html index.htm;
            proxy_pass http://localhost:8080;
           #proxy_redirect    off;
           proxy_http_version 1.1;
           proxy_set_header   Connection "";
            proxy_set_header   Host $host;
            proxy_set_header   X-Real-IP $remote_addr;
            proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
            error_page 502 /502.html;
            # client_max_body_size   5m;
            # client_body_buffer_size   128k;
            # proxy_connect_timeout   10;
            # proxy_send_timeout   90;
            # proxy_read_timeout   90;
            # proxy_buffer_size   4k;
            # proxy_buffers   4 32k;
            # proxy_busy_buffers_size   64k;
            # proxy_temp_file_write_size  64k;
            # expires 7d;
        }
        #静态资源加载
        location /static{
                alias /usr/share/nginx/static; 
         } 
        
        #自定义错误页面
        location /502.html{
            alias /usr/share/nginx/index/system.html;
        }
   }

    server{
        listen 80;
        server_name  www.whwomen.org.cn;
        rewrite ^(.*)$ https://${server_name}$1 permanent;
       #其实应该配置到这里就可以了，将80端口的访问转发到443端口
       #charset koi8-r;
        #access_log  logs/host.access.log  main;
        location / {
            add_header Content-Security-Policy upgrade-insecure-requests;
            proxy_pass http://localhost:8080;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;

        }
        #下面这种方式也能实现http的80端口转发到https的443端口
        #listen 80
        #listen 443 ssl;
        #server_name whwomen.org.cn;
        #return 301 https://whwomen.org.cn$request_uri;

    }
}