官方参考文档,包括apache、nginx、IIS的ssl配置:
http://www.wosign.com/Docdownload/
实例一、配置http转发到https,一个虚拟主机内有两个server,部分内容使用**代替
Ngx01(10.66.**.**),Ngx02(10.66.**.**)
1、在/etc/nginx添加sslkey文件夹,导入ssl证书到该文件夹下,参考附件
2、修改虚拟主机
upstream am***
{ server 172.22.**.*:80; keepalive 100; }
server {
listen 80;
server_name www.***-dmp.cn;
rewrite "^/(.*)$" https://www.***-dmp.cn/$1 break; #这里配置http转发到https
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ # access_log /var/log/nginx/access_www.log; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $http_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://amnet/; }
location /web/
{ alias /opt/wwwroot/web/; # access_log /var/log/nginx/access_web.log; }
}
server {
listen 443; #监听443端口
server_name www.***-dmp.cn;
ssl on; #打开ssl
ssl_certificate sslkey/1__.***-dmp.cn_bundle.crt; #指定ssl的证书和key
ssl_certificate_key sslkey/2__.***-dmp.cn.key;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ # access_log /var/log/nginx/access_www.log; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $http_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://amnet/; }
location /web/
{ alias /opt/wwwroot/web/; # access_log /var/log/nginx/access_web.log; }
}
实例二、http和https都可以使用,不跳转,需要配置两个虚拟主机,例如原来有***.conf虚拟主机配置文件,添加一个***-https.conf的虚拟主机配置文件,内容如下:
Ngx03(10.66.**.**),Ngx04(10.66.**.**)
1、在/etc/nginx添加sslkey文件夹,导入ssl证书到该文件夹下,参考附件
2、原虚拟主机配置文件***.conf不动,添加虚拟主机***-https.conf,内容如下:
server {
listen 443; #监听443端口
server_name cm.***-dmp.cn cm.***akidmp.com;
ssl on; #打开ssl
ssl_certificate sslkey/1__.***-dmp.cn_bundle.crt; #指定ssl的证书和key
ssl_certificate_key sslkey/2__.***-dmp.cn.key;
location /favicon.ico
{ access_log off; error_log /dev/null crit; }
location /index.html
{ alias /var/www/index.html; }
location /1_1.gif
{ alias /var/www/1_1.gif; }
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://aaccm/; }
location /crossdomain.xml
{ alias /usr/local/track/crossdomain.xml; }
}
其实实例二采用另一种方法,在一个虚拟主机中配置两个server,一个使用80端口的http,另一个使用443端口的https,只不过80不转发而已,就是没有:rewrite "^/(.*)$" https://www.***-dmp.cn/$1 break;
我猜测这样应该也是可以的,由于我的时间和条件都有限,没有实际测试,大家有时间再试试。
实例三、配置https,支持SHA256,AES384
# vim mcdonalds-dmpapi.conf
server {
charset utf-8;
client_max_body_size 128M;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
listen 443;
server_name dmptrack.dmp.mcdonalds.com.cn dmpcm.dmp.mcdonalds.com.cn;
ssl on;
ssl_certificate /root/sslkey/dmp.crt;
#ssl_certificate /root/sslkey/dmp.mcdonalds.com.cn.crt.del;
ssl_certificate_key /root/sslkey/dmp.mcdonalds.com.cn.key;
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!MD5:!PSK:!RC4;
#ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SH
A256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AE
S256-GCM-SHA384:AES128-GCM-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
#ssl_stapling on;
include ../proxy/dmpapi.include;
#location / {
# access_log ../logs/https-mcd-access.log;
# error_log ../logs/https-mcd-error.log;
# return 403;
#}
}