Nginx的https配置記錄以及http強制跳轉到https的方法梳理

1、Nginx安裝（略）
安裝的時候須要注意加上 --with-http_ssl_module，由於http_ssl_module不屬於Nginx的基本模塊。
Nginx安裝方法：

1 2	# ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module # make && make install

2、生成證書(略)
可使用openssl生成證書：
好比生成以下兩個證書文件（假設存放路徑爲/usr/local/nginx/cert/）：
wangshibo.crt
wangshibo.key

3、修改Nginx配置
server {
          listen 443;
          server_name www.wangshibo.com;
          root /var/www/vhosts/www.wangshibo.com/httpdocs/main/;

          ssl on;
          ssl_certificate /usr/local/nginx/cert/wangshibo.crt;
          ssl_certificate_key /usr/local/nginx/cert/wangshibo.key;
          ssl_session_timeout 5m;
          ssl_protocols SSLv2 SSLv3 TLSv1;
          ssl_ciphers HIGH:!aNULL:!MD5;                                            //或者是ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
          ssl_prefer_server_ciphers on;

          access_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_ssl.log main;
          error_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_error_ssl.log;

         if ($remote_addr !~ ^(124.165.97.144|133.110.186.128|133.110.186.88)) {           //對訪問的來源ip作白名單限制
                rewrite ^.*$ /maintence.php last;
         }

         location ~ \.php$ {
              fastcgi_pass 127.0.0.1:9000;
              fastcgi_read_timeout 300;
              fastcgi_index index.php;
              fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
             #include fastcgi_params;
             include fastcgi.conf;
         }
}

例如將全部的dev.wangshibo.com域名的http訪問強制跳轉到https。

     下面配置都可以實現：

 

配置1：

server {

     listen 80;

     server_name dev.wangshibo.com;

     index index.html index.php index.htm;

   

     access_log  /usr/local/nginx/logs/8080-access .log main;

     error_log  /usr/local/nginx/logs/8080-error .log;

     

     rewrite ^(.*)$  https: // $host$1 permanent;        // 這是ngixn早前的寫法，如今還可使用。

  

     location ~ / {

     root /var/www/html/8080 ;

     index index.html index.php index.htm;

     }

     }

 

-------------------------------------------------------

上面的跳轉配置rewrite ^(.*)$  https: // $host$1 permanent;

也能夠改成下面

rewrite ^/(.*)$ http: //dev .wangshibo.com/$1 permanent;

或者

rewrite ^ http: //dev .wangshibo.com$request_uri? permanent;

-------------------------------------------------------

 

配置2：

server {

     listen 80;

     server_name dev.wangshibo.com;

     index index.html index.php index.htm;

   

     access_log  /usr/local/nginx/logs/8080-access .log main;

     error_log  /usr/local/nginx/logs/8080-error .log;

 

     return      301 https: // $server_name$request_uri;      // 這是nginx最新支持的寫法

  

     location ~ / {

     root /var/www/html/8080 ;

     index index.html index.php index.htm;

     }

     }

 

 

配置3：這種方式適用於多域名的時候，即訪問wangshibo.com的http也會強制跳轉到https: //dev .wangshibo.com上面

server {

     listen 80;

     server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;

     index index.html index.php index.htm;

   

     access_log  /usr/local/nginx/logs/8080-access .log main;

     error_log  /usr/local/nginx/logs/8080-error .log;

     

     if ($host ~* "^wangshibo.com$" ) {

     rewrite ^/(.*)$ https: //dev .wangshibo.com/ permanent;

     }

  

     location ~ / {

     root /var/www/html/8080 ;

     index index.html index.php index.htm;

     }

     }

 

 

配置4：下面是最簡單的一種配置

server {

     listen 80;

     server_name dev.wangshibo.com;

     index index.html index.php index.htm;

   

     access_log  /usr/local/nginx/logs/8080-access .log main;

     error_log  /usr/local/nginx/logs/8080-error .log;

     

     if ($host = "dev.wangshibo.com" ) {

        rewrite ^/(.*)$ http: //dev .wangshibo.com permanent;

     }

 

     location ~ / {

     root /var/www/html/8080 ;

     index index.html index.php index.htm;

     }

     }

---------------2、採用nginx的497狀態碼---------------------

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

497 - normal request was sent to HTTPS  解釋：當網站只容許https訪問時，當用http訪問時nginx會報出497錯誤碼    思路： 利用error_page命令將497狀態碼的連接重定向到https: //dev .wangshibo.com這個域名上   配置實例： 以下訪問dev.wangshibo.com或者wangshibo.com的http都會被強制跳轉到https server {      listen 80;      server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;      index index.html index.php index.htm;          access_log  /usr/local/nginx/logs/8080-access .log main;      error_log  /usr/local/nginx/logs/8080-error .log;            error_page 497  https: // $host$uri?$args;          location ~ / {      root /var/www/html/8080 ;      index index.html index.php index.htm;      }      }     也能夠將80和443的配置放在一塊兒： server {       listen       127.0.0.1:443;  #ssl端口       listen       127.0.0.1:80;   #用戶習慣用http訪問，加上80，後面經過497狀態碼讓它自動跳到443端口       server_name  dev.wangshibo.com;       #爲一個server{......}開啓ssl支持       ssl                  on;       #指定PEM格式的證書文件        ssl_certificate      /etc/nginx/wangshibo .pem;        #指定PEM格式的私鑰文件       ssl_certificate_key  /etc/nginx/wangshibo .key;               #讓http請求重定向到https請求        error_page 497  https: // $host$uri?$args;         location ~ / {      root /var/www/html/8080 ;      index index.html index.php index.htm;      }      }

---------------3、利用meta的刷新做用將http跳轉到https---------------------

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

上述的方法均會耗費服務器的資源，能夠借鑑百度使用的方法：巧妙的利用meta的刷新做用，將http跳轉到https 能夠基於http: //dev .wangshibo.com的虛擬主機路徑下寫一個index.html，內容就是http向https的跳轉   將下面的內容追加到index.html首頁文件內 [root@localhost ~] # cat /var/www/html/8080/index.html <html>  <meta http-equiv= "refresh" content= "0;url=https://dev.wangshibo.com/" >  < /html >   [root@localhost ~] # cat /usr/local/nginx/conf/vhosts/test.conf server {      listen 80;      server_name dev.wangshibo.com wangshibo.com *.wangshibo.com;      index index.html index.php index.htm;          access_log  /usr/local/nginx/logs/8080-access .log main;      error_log  /usr/local/nginx/logs/8080-error .log;            #將404的頁面重定向到https的首頁       error_page  404 https: //dev .wangshibo.com/;           location ~ / {      root /var/www/html/8080 ;               index index.html index.php index.htm;      }      }

-----------------------------------------------------------------------------------------------------------------------------
下面是nginx反代tomcat，而且http強制跳轉至https。
訪問http://zrx.wangshibo.com和訪問http://172.29.34.33:8080/zrx/結果是同樣的

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47

[root@BJLX_34_33_V vhosts] # cat zrx.conf server {      listen 80;      server_name zrx.wangshibo.com;      index index.html index.php index.htm;           access_log  logs /access .log;      error_log   logs /error .log;         return      301 https: // $server_name$request_uri;                 location ~ / {      root /data/nginx/html ;      index index.html index.php index.htm;      }      }     [root@BJLX_34_33_V vhosts] # cat ssl-zrx.conf upstream tomcat8 {      server 172.29.34.33:8080 max_fails=3 fail_timeout=30s; }   server {     listen 443;     server_name zrx.wangshibo.com;     ssl on;       ### SSL log files ###     access_log logs /ssl-access .log;     error_log logs /ssl-error .log;   ### SSL cert files ###     ssl_certificate ssl /wangshibo .cer;          ssl_certificate_key ssl /wangshibo .key;       ssl_session_timeout 5m;       location / {     proxy_pass http: //tomcat8/zrx/ ;                                          proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;     proxy_set_header Host $host;     proxy_set_header X-Real-IP $remote_addr;     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;     proxy_set_header X-Forwarded-Proto https;     proxy_redirect off; } }

---------------4、經過proxy_redirec方式---------------------

1 2 3

解決辦法： # re-write redirects to http as to https, example: /home proxy_redirect http: // https: // ;