二級域名帶ssl證書代理
在nginx配置文件,增加代理配置服務
server { listen 443 ssl; #SSL協議訪問端口號為443。此處如未添加ssl,可能會造成Nginx無法啟動。 server_name api.dshvv.com; #二級域名。 root html; index index.html index.htm; ssl_certificate /home/ssl/dshvv.pem; #將domain name.pem替換成您證書的文件名。 ssl_certificate_key /home/ssl/dshvv.key; #將domain name.key替換成您證書的密鑰文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用該協議進行配置。 ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } }
意思是 遇到api.dshvv.com請求的時候,將代理至本地的7777服務。
需要注意的是,需要在域名服務上,開啟二級域名的解析
普通二級域名配置
因為ssl證書是針對以及域名的,二級域名提示無效風險,但是不影響使用,也就是說二級域名用https請求會提示ssl證書無效
阿里有統配子域名的證書,但是要花錢,每年1-2k,還是算了。但是我們可以分別聲情,這是免費的
如果二級域名不配置證書,代理可以做如下新增
server { listen 80; server_name api.dshvv.com; #二級域名。 root html; index index.html index.htm; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } }
當然最好還是都加上,兩種配置都寫上,這樣使用的時候有的選擇
最優方案
1、配置兩個域名證書
2、同時支持http和https
一下是最終的配置文件
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 443 ssl; #SSL協議訪問端口號為443。此處如未添加ssl,可能會造成Nginx無法啟動。 server_name localhost; #將localhost修改為您證書綁定的域名,例如:www.example.com。 root html; index index.html index.htm; ssl_certificate /home/ssl/dshvv.com_nginx/cert.pem; #將domain name.pem替換成您證書的文件名。 ssl_certificate_key /home/ssl/dshvv.com_nginx/cert.key; #將domain name.key替換成您證書的密鑰文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用該協議進行配置。 ssl_prefer_server_ciphers on; location / { root html; #站點目錄。 index index.html index.htm; } } server { listen 443 ssl; #SSL協議訪問端口號為443。此處如未添加ssl,可能會造成Nginx無法啟動。 server_name api.dshvv.com; #二級域名。 root html; index index.html index.htm; ssl_certificate /home/ssl/api.dshvv.com_nginx/cert.pem; #將domain name.pem替換成您證書的文件名。 ssl_certificate_key /home/ssl/api.dshvv.com_nginx/cert.key; #將domain name.key替換成您證書的密鑰文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用該協議進行配置。 ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ \.php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} } server { listen 80; server_name api.dshvv.com; #二級域名。 root html; index index.html index.htm; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} }