Nginx配置SSL支持https并强制https访问

image.png

一、CA免费证书的获取请参照我上一篇文章
http://www.jianshu.com/p/dd8daccc9cde

二、在Nginx中安装证书
https://yundun.console.aliyun.com/?spm=5176.2020520141.1001.4.31050c2aZ0NG6T&p=cas#/cas/download/214242323470956

以下是我Nginx其中一个Host配置

server {
    listen       80;
    server_name  cn.cctv.cc www.cctv.cc cctv.cc *.cctv.cc;
    root /usr/local/soft/web_sites/cctv/cn_cctv/web;
    index  default.html index.html index.htm;

    #告诉浏览器有效期内只准用 https 访问
    add_header Strict-Transport-Security max-age=15768000;
    #永久重定向到 https 站点
    return 301 https://cn.cctv.cc$request_uri;

    location / {
        root /usr/local/soft/web_sites/cctv/cn_cctv/web;
        index  default.html index.html index.htm;
    }
    
    location ~ \.ejf$ {
        #Nginx转向内部Tomcat时使用http通信
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header  X-Real-IP  $remote_addr;
    }

    location ~.*\.(js|css|html|png|gif|htm|shtml|jpg)$ {
        expires 30d;
    }
}

server {
    listen 443;
    server_name cn.cctv.cc;
    ssl on;
    root /usr/local/soft/web_sites/cctv/cn_cctv/web;
    index default.html index.html index.htm;
    ##证书路径
    ssl_certificate   ../cert/214242323470956.pem;
    #私钥路径
    ssl_certificate_key  ../cert/214242323470956.key;
    ssl_session_timeout 1m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root /usr/local/soft/web_sites/cctv/cn_cctv/web;
        index default.html index.html index.htm;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto https;
        proxy_redirect off;
        proxy_connect_timeout      240;
        proxy_send_timeout         240;
        proxy_read_timeout         240;
    }
  location ~ \.ejf$ {
        #Nginx转向内部Tomcat时使用http通信
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header  X-Real-IP  $remote_addr;
    }
}
#仅允许指定域名访问，不可用ip访问
server {
    listen 80 default_server;
    server_name _;
    return 403;
}

三、配置Tomcat

重点是这儿的proxyPort="443"

Nginx配置SSL支持https并强制https访问

你可能感兴趣的:(Nginx配置SSL支持https并强制https访问)