Nginx 開啟 ssl 以支持 HTTPS

[!IMPORTANT]

在下文中，將采用如下定義。

HTTP端口： 80

HTTPS端口： 443

服務地址： www.0ll1.com，也可以是 IP

1 生成本地證書

1. 生成一個 RSA 私鑰：server.key

   openssl genrsa -out server.key 2048
   

2. 生成一個自簽名的 X.509 證書：server.crt

   openssl req -new -x509 -days 8760 -key server.key -out server.crt -subj "/C=CN/O=Institute of Information Engineering, CAS/CN=www.0ll1.com"
   

2 開啟 ssl 以支持 HTTPS

server {listen 443 ssl;server_name www.0ll1.com;ssl_certificate /usr/local/nginx/cert/server.crt;ssl_certificate_key /usr/local/nginx/cert/server.key;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;ssl_prefer_server_ciphers on;
}

3 將 https 的請求轉發給 http

server {location / {proxy_set_header Host $host;proxy_redirect off;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 60;proxy_read_timeout 600;proxy_send_timeout 600;proxy_pass http://www.0ll1.com:80;}
}

[!NOTE]

只需要將 proxy_pass 修改為 http 服務的 url 即可。

最終的 nginx.conf 如下

server {listen 443 ssl;server_name www.0ll1.com;ssl_certificate /usr/local/nginx/cert/server.crt;ssl_certificate_key /usr/local/nginx/cert/server.key;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;ssl_prefer_server_ciphers on;location / {proxy_set_header Host $host;proxy_redirect off;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_connect_timeout 60;proxy_read_timeout 600;proxy_send_timeout 600;proxy_pass http://www.0ll1.com:80;}
}