Nginx 啓用 https

在nginx.conf中增長新server配置

    server {
        listen 443;
        server_name www.some.com;
        ssl on;
        ssl_certificate sslkey/some.com.crt;
        ssl_certificate_key sslkey/some.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
        ssl_prefer_server_ciphers on;

        location / {
            proxy_pass http://tomcat_www;
        }
        access_log logs/www-ssl.access.log main;
    }

對於須要強制跳轉的80端口訪問, 使用

    server {
        listen       80;
        server_name www.some.com;
        location / {
            root   /var/www/html;
            index  index.html; # meta jump to https
        }
        access_log logs/www.access.log main;
    }

index.html使用

<html>
<meta http-equiv="refresh" content="0;url=https://www.some.com/">
</html>

 

其餘的跳轉方案一:

    server {  
        listen  192.168.1.111:80;  
        server_name test.com;  
          
        rewrite ^(.*)$  https://$host$1 permanent;  
    }  

方案二

    server {  
        listen       192.168.1.11:443;  #ssl端口  
        listen       192.168.1.11:80;   #用戶習慣用http訪問，加上80，後面經過497狀態碼讓它自動跳到443端口  
        server_name  test.com;  
        #爲一個server{......}開啓ssl支持  
        ssl                  on;  
        #指定PEM格式的證書文件   
        ssl_certificate      /etc/nginx/test.pem;   
        #指定PEM格式的私鑰文件  
        ssl_certificate_key  /etc/nginx/test.key;  
          
        #讓http請求重定向到https請求   
        error_page 497  https://$host$uri?$args;  
    }  

使用openssl 給nginx生成證書的shell腳本

#!/bin/sh

# Preparing directories and files
mkdir -p demoCA/private
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo -e "01\n" >> demoCA/serial

read -p "Enter your Organization [RockBB]: " ORGANIZATION
read -p "Enter your Organization Unit [Board]: " ORGANIZATION_UNIT
read -p "Enter your domain [www.example.com]: " DOMAIN
read -p "Enter your client name [client]: " CLIENT_NAME
read -p "Enter your p12 password [111111]: " PASSWORD
SUBJECT="/C=CN/ST=Beijing/L=Chaoyang/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$DOMAIN"
echo ""
echo "create self-signed certificate:"
# create private server key
openssl genrsa -out demoCA/private/cakey.pem 2048
# self-signed certificate
openssl req -new -subj $SUBJECT -x509 -key demoCA/private/cakey.pem -out demoCA/cacert.pem -days 3655

echo ""
echo "create server certificate:"
openssl genrsa -out $DOMAIN.key 1024
openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr
openssl ca -in $DOMAIN.csr -out $DOMAIN.crt -days=3650

echo ""
echo "create client certificate"
SUBJECT_CLIENT="/C=CN/ST=Beijing/L=Chaoyang/O=$ORGANIZATION/OU=$ORGANIZATION_UNIT/CN=$CLIENT_NAME"
openssl genrsa -out $DOMAIN.client.key 1024
openssl req -new -subj $SUBJECT_CLIENT -key $DOMAIN.client.key -out $DOMAIN.client.csr
openssl ca -batch -in $DOMAIN.client.csr -out $DOMAIN.client.crt -days=3650
openssl pkcs12 -export -clcerts -in $DOMAIN.client.crt -inkey $DOMAIN.client.key -out $DOMAIN.client.p12 -pasword pass:$PASSWORD

echo ""
echo "Update the Nginx configuration:"

: <<'END'
upstream tomcat_admin {
    server 10.1.1.3:8080;
}
server {
    listen       80;
    server_name www.rockbb.com;
    location / {
        rewrite ^(.*)$ https://$host$1 permanent;
    }
    access_log logs/www.access.log main;
}
server {
    listen       443;
    server_name www.rockbb.com;
    ssl on;
    ssl_certificate sslkey/www.rockbb.com.crt;
    ssl_certificate_key sslkey/www.rockbb.com.key;
    ssl_client_certificate sslkey/www.rockbb.com.cacert.pem;
    ssl_session_timeout 5m;
    ssl_verify_client on;
    ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL;
    ssl_prefer_server_ciphers on;

    location / {
        proxy_pass http://tomcat_admin;
        proxy_redirect http:// $scheme://;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header REMOTE-HOST $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    access_log logs/www-ssl.access.log main;
}
END

製做的過程當中, 若是須要從新制做, 刪除demoCA目錄以及同級目錄下的其餘文件便可.

若是在瀏覽器上重複安裝同參數可是第二次生成的證書, 會出現這樣的錯誤

An error occurred during a connection to internal.yihuicai.cn. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. Error code: SEC_ERROR_REUSED_ISSUER_AND_SERIAL

這是由於瀏覽器的舊證書沒有清除乾淨致使的, 除了個人/我的部分外, 服務器證書下, 也須要清理.

 

其中 proxy_redirect http:// $scheme://; 用於讓上游的tomcat知道訪問者使用的是https協議, 避免java應用在request中獲得錯誤的schema而使用http進行跳轉

Update 2017-02-03 在同一服務器上同時使用商業證書和自簽發證書時, 安卓客戶端訪問出現 java.security.cert.CertPathValidatorException: Trust anchor for certification path not found 錯誤的解決:

在命令行下, 檢查證書是否正確

# 
openssl s_client -connect app.somedomain.cn:443 | openssl x509 -noout -subject -issuer
# 明細
openssl s_client -debug -connect app.somedomain.cn:443

若是上面的結果中, 出現的證書是自簽發證書或者 verify error:num=21:unable to verify the first certificate , 就說明商業證書未生效. 解決的辦法, 是在nginx中將對應IP的證書也設置爲商業證書, 而原來直接用IP訪問的應用, 新建一個二級域名來訪問.

Update 2019-06-28 對於經過upstrean來映射到公網的Jenkins服務器, 來源端口是8080, 公網端口是6443, 雖然已經在Jenkins配置中, 將帶端口的URL配置上, 可是在登陸跳轉和登出跳轉時, 仍是會跳到不帶端口的URL上, 通過各類嘗試, 發現是nginx配置中, 未未來源端口信息帶給upstrean, 應當在 proxy_set_header Host 時, 加上端口信息 $host:$server_port, 以下

  location /jenkins/ {
    proxy_pass http://jenkins_main;
    #proxy_set_header Host $host;
    proxy_set_header Host $host:$server_port;
    proxy_redirect http:// $scheme://;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header REMOTE-HOST $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_intercept_errors on;
  }

 

 

Nginx啓用 HTTP/2

參考 https://www.nginx.com/blog/nginx-1-9-5/

在nginx中啓用http2必須先啓用ssl, 而後只須要在listen中增長 http2 參數, reload就能夠了.

server {
  listen       443 ssl http2;
  server_name www.aa.cn;
  ssl_certificate sslkey/aa.cn_bundle.crt.201806;
  ssl_certificate_key sslkey/aa.cn.key.201806;
  ssl_session_timeout 5m;
  ...

.這裏有一個問題, 若是你配置了多個virtual server, 對應的都是同一個IP+Port, 那麼在其中一個server上啓用http2會同時在這個IP+Port對應的其餘Virtual Server上也啓用http2. 這裏是這麼解釋的 https://stackoverflow.com/questions/40987592/can-i-enable-http-2-for-specific-server-blocks-virtual-hosts-only-on-nginx

When starting, nginx first creates a separate process for every group of virtual hosts that listen on the same IP:port combination, and then sets the capabilities of that process to be the sum of all capabilities of every virtual host in that group handled by said process.

In your case, there's only one process that handles all the virtual hosts bound to *:443, so the process includes the http2 capability.

In order to achieve what you want, you need to make nginx spawn a different process that doesn't have the http2 capability on a separate IP:port combination.

For the virtual hosts you want to be accessed via http2, you must either:

use a different port - trivial, just use another port for them (e.g. listen 8443 ssl http2;) and remove http2 from all the others (e.g. `listen 443 ssl;) use a different IP - you need to add another IP to the same NIC that uses your current IP and modify your virtual hosts accordingly (e.g. listen new_ip:443 ssl http2; and listen current_ip:443 ssl; respectively)