Nginx的https配置記錄以及http強制跳轉到https的方法梳理

 

1、Nginx安裝（略）
安裝的時候須要注意加上 --with-http_ssl_module，由於http_ssl_module不屬於Nginx的基本模塊。
Nginx安裝方法：

# ./configure --user=www --group=www --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module # make && make install

2、生成證書(略)
可使用openssl生成證書：
可參考：http://www.cnblogs.com/kevingrace/p/5865501.html
好比生成以下兩個證書文件（假設存放路徑爲/usr/local/nginx/cert/）：
wangshibo.crt
wangshibo.key

3、修改Nginx配置
server {
          listen 443;
          server_name www.wangshibo.com;
          root /var/www/vhosts/www.wangshibo.com/httpdocs/main/;

          ssl on;
          ssl_certificate /usr/local/nginx/cert/wangshibo.crt;
          ssl_certificate_key /usr/local/nginx/cert/wangshibo.key;
          ssl_session_timeout 5m;
          ssl_protocols SSLv2 SSLv3 TLSv1;
          ssl_ciphers HIGH:!aNULL:!MD5;                                            //或者是ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
          ssl_prefer_server_ciphers on;

          access_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_ssl.log main;
          error_log /var/www/vhosts/www.wangshibo.com/logs/clickstream_error_ssl.log;

         if ($remote_addr !~ ^(124.165.97.144|133.110.186.128|133.110.186.88)) {           //對訪問的來源ip作白名單限制
                rewrite ^.*$ /maintence.php last;
         }

         location ~ \.php$ {
              fastcgi_pass 127.0.0.1:9000;
              fastcgi_read_timeout 300;
              fastcgi_index index.php;
              fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
             #include fastcgi_params;
             include fastcgi.conf;
         }
}

------------------------------http訪問強制跳轉到https-----------------------------
網站添加了https證書後，當http方式訪問網站時就會報404錯誤，因此須要作http到https的強制跳轉設置.

 

---------------1、採用nginx的rewrite方法---------------------

1) 下面是將全部的http請求經過rewrite重寫到https上。 例如將全部的dev.wangshibo.com域名的http訪問強制跳轉到https。 下面配置都可以實現： 配置1： server { listen 80; server_name dev.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; rewrite ^(.*)$  https://$host$1 permanent; //這是ngixn早前的寫法，如今還可使用。
 location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } } ------------------------------------------------------- 上面的跳轉配置rewrite ^(.*)$  https://$host$1 permanent;
也能夠改成下面 rewrite ^/(.*)$ http://dev.wangshibo.com/$1 permanent;
或者 rewrite ^ http://dev.wangshibo.com$request_uri? permanent;
------------------------------------------------------- 配置2： server { listen 80; server_name dev.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; return      301 https://$server_name$request_uri; //這是nginx最新支持的寫法
 location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } } 配置3：這種方式適用於多域名的時候，即訪問wangshibo.com的http也會強制跳轉到https://dev.wangshibo.com上面
server { listen 80; server_name dev.wangshibo.com wangshibo.com *.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; if ($host ~* "^wangshibo.com$") { rewrite ^/(.*)$ https://dev.wangshibo.com/ permanent;
 } location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } } 配置4：下面是最簡單的一種配置 server { listen 80; server_name dev.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; if ($host = "dev.wangshibo.com") { rewrite ^/(.*)$ http://dev.wangshibo.com permanent;
 } location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } }

---------------2、採用nginx的497狀態碼---------------------

497 - normal request was sent to HTTPS 解釋：當網站只容許https訪問時，當用http訪問時nginx會報出497錯誤碼 思路： 利用error_page命令將497狀態碼的連接重定向到https://dev.wangshibo.com這個域名上
 配置實例： 以下訪問dev.wangshibo.com或者wangshibo.com的http都會被強制跳轉到https server { listen 80; server_name dev.wangshibo.com wangshibo.com *.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; error_page 497  https://$host$uri?$args; 
 location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } } 也能夠將80和443的配置放在一塊兒： server { listen 127.0.0.1:443; #ssl端口 listen 127.0.0.1:80; #用戶習慣用http訪問，加上80，後面經過497狀態碼讓它自動跳到443端口 server_name dev.wangshibo.com; #爲一個server{......}開啓ssl支持 ssl on; #指定PEM格式的證書文件 ssl_certificate /etc/nginx/wangshibo.pem; #指定PEM格式的私鑰文件 ssl_certificate_key /etc/nginx/wangshibo.key; #讓http請求重定向到https請求 error_page 497  https://$host$uri?$args; 
 location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } }

---------------3、利用meta的刷新做用將http跳轉到https---------------------

上述的方法均會耗費服務器的資源，能夠借鑑百度使用的方法：巧妙的利用meta的刷新做用，將http跳轉到https 能夠基於http://dev.wangshibo.com的虛擬主機路徑下寫一個index.html，內容就是http向https的跳轉
 將下面的內容追加到index.html首頁文件內 [root@localhost ~]# cat /var/www/html/8080/index.html <html> 
<meta http-equiv="refresh" content="0;url=https://dev.wangshibo.com/"> 
</html> [root@localhost ~]# cat /usr/local/nginx/conf/vhosts/test.conf server { listen 80; server_name dev.wangshibo.com wangshibo.com *.wangshibo.com; index index.html index.php index.htm; access_log /usr/local/nginx/logs/8080-access.log main; error_log /usr/local/nginx/logs/8080-error.log; #將404的頁面重定向到https的首頁 error_page 404 https://dev.wangshibo.com/; 
 location ~ / { root /var/www/html/8080; index index.html index.php index.htm; } }

-----------------------------------------------------------------------------------------------------------------------------
下面是nginx反代tomcat，而且http強制跳轉至https。
訪問http://zrx.wangshibo.com和訪問http://172.29.34.33:8080/zrx/結果是同樣的

[root@BJLX_34_33_V vhosts]# cat zrx.conf server { listen 80; server_name zrx.wangshibo.com; index index.html index.php index.htm; access_log logs/access.log; error_log logs/error.log; return      301 https://$server_name$request_uri; 
 location ~ / { root /data/nginx/html; index index.html index.php index.htm; } } [root@BJLX_34_33_V vhosts]# cat ssl-zrx.conf upstream tomcat8 { server 172.29.34.33:8080 max_fails=3 fail_timeout=30s; } server { listen 443; server_name zrx.wangshibo.com; ssl on; ### SSL log files ### access_log logs/ssl-access.log; error_log logs/ssl-error.log; ### SSL cert files ### ssl_certificate ssl/wangshibo.cer; ssl_certificate_key ssl/wangshibo.key; ssl_session_timeout 5m; location / { proxy_pass http://tomcat8/zrx/; 
 proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect off; } }

---------------4、經過proxy_redirec方式---------------------

解決辦法： # re-write redirects to http as to https, example: /home proxy_redirect http:// https://;