nginx 实现 HTTPS 转发的配置文件

人走茶凉 提交于 2020-02-27 02:30:13
# 使用 ssl 的站点,自动跳转和 https 站点的配置
# server {
#     listen 80;
#     server_name xxx.com www.xxx.com;

#     # 跳转到 https 站点
#     # rewrite ^(.*)$ https://$host$1 permanent;
#     return 301 https://$host$request_uri;
# }

# 部署 SSL
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  ssl.xxx.com;

    # root /data/wwwroot/xxx;
    # index  index.html;

    # 做端口转发到 beego
    location /(css|js|fonts|img)/ {
        access_log off;
        expires 1d;    

        root "xxx/static"; # 该文件是你 beego 项目中的 static 静态文件路径
        try_files $uri @backend;
    }

    location / {
        try_files /_not_exists_ @backend;
    }

    location @backend {
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header Host            $http_host;

        proxy_pass http://127.0.0.1:8080;  #代理指向的 beego 项目地址
    }

    # 下面的配置重点参考 https://mozilla.github.io/server-side-tls/ssl-config-generator/
    ssl_certificate xxx/xxx.crt;
    ssl_certificate_key xxx/xxx.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /path/to/dhparam.pem
    # ssl_dhparam /path/to/dhparam.pem; # 自己签发的证书要禁用这行

    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;

    # OCSP stapling
    # ssl_stapling on;  # 自己签发的证书要禁用这两行,否则会出现 nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate
    # ssl_stapling_verify on;

    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    # ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates; # 自己签发的证书要禁用这行

    # replace with the IP address of your resolver
    resolver 127.0.0.1;
}

注意,我在本地测试的时候使用的 XCA (http://hohnstaedt.de/xca) 自己签发的证书,配置文件中有几处不同已标记.

XCA如何签发证书请看 https://www.cnblogs.com/wangliangblog/p/8670762.html

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!