官方参考文档,包括apache、nginx、IIS的ssl配置:
http://www.wosign.com/Docdownload/
实例一、配置http转发到https,一个虚拟主机内有两个server,部分内容使用**代替
Ngx01(10.66.**.**),Ngx02(10.66.**.**)
1、在/etc/nginx添加sslkey文件夹,导入ssl证书到该文件夹下,参考附件
2、修改虚拟主机
upstream am***
{ server 172.22.**.*:80; keepalive 100; }
server {
listen 80;
server_name www.***-dmp.cn;
rewrite "^/(.*)$" https://www.***-dmp.cn/$1 break; #这里配置http转发到https
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ # access_log /var/log/nginx/access_www.log; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $http_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://amnet/; }
location /web/
{ alias /opt/wwwroot/web/; # access_log /var/log/nginx/access_web.log; }
}
server {
listen 443; #监听443端口
server_name www.***-dmp.cn;
ssl on; #打开ssl
ssl_certificate sslkey/1__.***-dmp.cn_bundle.crt; #指定ssl的证书和key
ssl_certificate_key sslkey/2__.***-dmp.cn.key;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ # access_log /var/log/nginx/access_www.log; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $http_x_forwarded_for; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://amnet/; }
location /web/
{ alias /opt/wwwroot/web/; # access_log /var/log/nginx/access_web.log; }
}
实例二、http和https都可以使用,不跳转,需要配置两个虚拟主机,例如原来有***.conf虚拟主机配置文件,添加一个***-https.conf的虚拟主机配置文件,内容如下:
Ngx03(10.66.**.**),Ngx04(10.66.**.**)
1、在/etc/nginx添加sslkey文件夹,导入ssl证书到该文件夹下,参考附件
2、原虚拟主机配置文件***.conf不动,添加虚拟主机***-https.conf,内容如下:
server {
listen 443; #监听443端口
server_name cm.***-dmp.cn cm.***akidmp.com;
ssl on; #打开ssl
ssl_certificate sslkey/1__.***-dmp.cn_bundle.crt; #指定ssl的证书和key
ssl_certificate_key sslkey/2__.***-dmp.cn.key;
location /favicon.ico
{ access_log off; error_log /dev/null crit; }
location /index.html
{ alias /var/www/index.html; }
location /1_1.gif
{ alias /var/www/1_1.gif; }
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;
location /
{ proxy_http_version 1.1; proxy_set_header Connection ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $http_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://aaccm/; }
location /crossdomain.xml
{ alias /usr/local/track/crossdomain.xml; }
}
其实实例二采用另一种方法,在一个虚拟主机中配置两个server,一个使用80端口的http,另一个使用443端口的https,只不过80不转发而已,就是没有:rewrite "^/(.*)$" https://www.***-dmp.cn/$1 break;
我猜测这样应该也是可以的,由于我的时间和条件都有限,没有实际测试,大家有时间再试试。
本文出自 “梅花香自苦寒来!” 博客,请务必保留此出处http://daixuan.blog.51cto.com/5426657/1774945
原文地址:http://daixuan.blog.51cto.com/5426657/1774945
