nginx配置80端口轉發到443

1.0 前提

nginx的https協議需要ssl模塊的支持，我們在編譯nginx時使用–with-http_ssl_module參數加入SSL模塊。還需要服務器私鑰，服務器證書，如果是公司對外環境，這個證書需要購買第三方的權威證書，否則用戶體驗得不到保障；

注意：如果你購買的是第三方服務證書,那么只需要參考1.3-1.4的配置信息即可完整企業ssl配置實踐。

1.1檢查Nginx的SSL模塊是否安裝

[root@web-node1 ~]# /application/nginx/sbin/nginx -V

nginx version: nginx/1.6.3

built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)

TLS SNI support enabled

configure arguments: –prefix=/application/nginx-1.6.3 –user=nginx –group=nginx –with-http_ssl_module –with-http_stub_status_module

1.2准備私鑰和證書

1.2.1創建服務器私鑰

[root@web-node1 ~]# cd /application/nginx/conf/
[root@web-node1 conf]# mkdir key
[root@web-node1 conf]# cd key/
[root@web-node1 key]# openssl genrsa -des3 -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..++++++
…++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:       ##輸入一個密碼
Verifying – Enter pass phrase for server.key:  ##再次輸入

1.2.2簽發證書

[root@web-node1 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:SA
Common Name (eg, your name or your server’s hostname) []:XuBuSi
Email Address []:xubusi@xuliangwei.com

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

1.2.3刪除服務器私鑰口令

[root@web-node1 key]# cp server.key server.key.ori
[root@web-node1 key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key

1.2.4生成使用簽名請求證書和私鑰生成自簽證書

[root@web-node1 key]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=SA/CN=XuBuSi/emailAddress=xubusi@xuliangwei.com
Getting Private key

1.3開啟Nginx SSL

server {
​
server_name www.123.com;
​
listen       80;
​
rewrite ^(.*) https://$server_name$1 permanent;
}
​
server {
listen 443;
​
server_name www.123.com;
​
ssl on;
​
ssl_certificate key/server.crt;
​
ssl_certificate_key key/server.key;
​
​
​
location / {
​
root  /application/nginx-1.6.2/html/;   ##nginx的默認目錄
​
index  index.html index.htm index.php;
​
​
}
​
}

把80端口的訪問自動轉到443端口

1.4 最后重啟nginx服務

/application/nginx/sbin/nginx -s reload
查看端口

netstat -lnp | grep nginx
tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      8342/nginx
tcp        0      0 0.0.0.0:443                 0.0.0.0:*                   LISTEN      8342/nginx