Nginx之https配置-运维笔记(http-https强转)
⼀、Nginx安装(略)
安装的时候需要注意加上 --with-http_ssl_module,因为http_ssl_module不属于Nginx的基本模块。
Nginx安装⽅法:
# ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
# make && make install
三、修改Nginx配置
server {
listen 443;
server_name www.wangshibo;
root /var/www/vhosts/www.wangshibo/httpdocs/main/;
ssl on;
ssl_certificate /usr/local/nginx/;
ssl_certificate_key /usr/local/nginx/cert/wangshibo.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers HIGH:!aNULL:!MD5; //或者是ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on;
access_log /var/www/vhosts/www.wangshibo/logs/clickstream_ssl.log main;
error_log /var/www/vhosts/www.wangshibo/logs/clickstream_error_ssl.log;
if ($remote_addr !~ ^(124.165.97.144|133.110.186.128|133.110.186.88)) { //对访问的来源ip做⽩名单限制
rewrite ^.*$ /maintence.php last;
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_read_timeout 300;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
#include fastcgi_params;
f;
}
}
http访问强制跳转到https
⽹站添加了https证书后,当http⽅式访问⽹站时就会报404错误,所以需要做http到https的强制跳转设置.
⼀、采⽤nginx的rewrite⽅法
1) 下⾯是将所有的http请求通过rewrite重写到https上。
例如将所有的dev.wangshibo域名的http访问强制跳转到https。
下⾯配置均可以实现:
配置1:
server {
listen 80;
server_name dev.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
rewrite ^(.*)$ $host$1 permanent; //这是ngixn早前的写法,现在还可以使⽤。
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
================================================================
上⾯的跳转配置rewrite ^(.*)$ $host$1 permanent;
也可以改为下⾯
rewrite ^/(.*)$ dev.wangshibo/$1 permanent;
或者
rewrite ^ dev.wangshibo$request_uri? permanent;
================================================================
配置2:
server {
listen 80;
server_name dev.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
return 301 $server_name$request_uri; //这是nginx最新⽀持的写法
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
配置3:这种⽅式适⽤于多域名的时候,即访问wangshibo的http也会强制跳转到dev.wangshibo上⾯server {
listen 80;
server_name dev.wangshibo wangshibo *.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
if ($host ~* "^wangshibo$") {
rewrite ^/(.*)$ dev.wangshibo/ permanent;
}
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
配置4:下⾯是最简单的⼀种配置
server {
listen 80;
server_name dev.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
if ($host = "dev.wangshibo") {
rewrite ^/(.*)$ dev.wangshibo permanent;
}
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
⼆、采⽤nginx的497状态码 (⾮标准443端⼝的https情况下使⽤的强转配置⽅式)
497 - normal request was sent to HTTPS
解释:当⽹站只允许https访问时,当⽤http访问时nginx会报出497错误码
思路:
利⽤error_page命令将497状态码的链接重定向到dev.wangshibo这个域名上
配置实例:
如下访问dev.wangshibo或者wangshibo的http都会被强制跳转到https
server {
listen 80;
server_name dev.wangshibo wangshibo *.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
error_page 497 $host$uri?$args;
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
也可以将80和443的配置放在⼀起:
server {
listen 127.0.0.1:443; #ssl端⼝
listen 127.0.0.1:80; #⽤户习惯⽤http访问,加上80,后⾯通过497状态码让它⾃动跳到443端⼝
server_name dev.wangshibo;
#为⼀个server{......}开启ssl⽀持
ssl on;
#指定PEM格式的证书⽂件
ssl_certificate /etc/nginx/wangshibo.pem;
#指定PEM格式的私钥⽂件
ssl_certificate_key /etc/nginx/wangshibo.key;
#让http请求重定向到https请求
error_page 497 $host$uri?$args;
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
如果遇到⾮标准443端⼝的https情况下,则http到https的强转配置就需要使⽤上⾯这种497状态码的⽅式了。如下: server {
listen 9443 ssl;
server_name www.kevin;
error_page 497 $server_name:9443$request_uri;
ssl_certificate /etc/nginx/;
ssl_certificate_key /etc/nginx/cert/kevin.key;
.........
这样访问www.kevin:9443 就会⾃动跳转到www.kevin:9443。
这种⽅式直接配置https端⼝就可以,不需要再配置http端⼝。
三、利⽤meta的刷新作⽤将http跳转到https
上述的⽅法均会耗费服务器的资源,可以借鉴百度使⽤的⽅法:巧妙的利⽤meta的刷新作⽤,将http跳转到https
可以基于dev.wangshibo的虚拟主机路径下写⼀个index.html,内容就是http向https的跳转
将下⾯的内容追加到index.html⾸页⽂件内
[root@localhost ~]# cat /var/www/html/8080/index.html
<html>
<meta http-equiv="refresh" content="0;url=dev.wangshibo/">
</html>
[root@localhost ~]# cat /usr/local/nginx/conf/f
server {
listen 80;
server_name dev.wangshibo wangshibo *.wangshibo;
index index.html index.php index.htm;
access_log /usr/local/nginx/logs/8080-access.log main;
error_log /usr/local/nginx/logs/8080-error.log;
#将404的页⾯重定向到https的⾸页
error_page 404 dev.wangshibo/;
location ~ / {
root /var/www/html/8080;
index index.html index.php index.htm;
}
}
[root@BJLX_34_33_V vhosts]# f
server {
listen 80;
server_name zrx.wangshibo;
index index.html index.php index.htm;
access_log logs/access.log;
error_log logs/error.log;
return 301 $server_name$request_uri;
location ~ / {
root /data/nginx/html;
nginx ssl证书配置index index.html index.php index.htm;
}
}
[root@BJLX_34_33_V vhosts]# f
upstream tomcat8 {
server 172.29.34.33:8080 max_fails=3 fail_timeout=30s;
}
server {
listen 443;
server_name zrx.wangshibo;
ssl on;
### SSL log files ###
access_log logs/ssl-access.log;
error_log logs/ssl-error.log;
### SSL cert files ###
ssl_certificate ;
ssl_certificate_key ssl/wangshibo.key;
ssl_session_timeout 5m;
location / {
proxy_pass tomcat8/zrx/;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect off;
}
}
四、通过proxy_redirec⽅式
解决办法:
# re-write redirects to http as to https, example: /home
proxy_redirect ;
发表评论