[TOC]
NGINX配置ssl
Author: danny.pang
Date: 2019-07-05
Email: maduar@163.com
本地测试
1. 配置hosts文件 - 增加一条配置
127.0.0.1 www.example.com
2. 启动服务
➜ myapp node app.js
Example app listening on port 3000!
3. 配置nginx
server {
listen 80;
server_name www.example.com;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host:$server_port;
proxy_pass http://localhost:3000;
}
}
测试nginx
➜ myapp curl www.example.com
Hello World!%
4. 生成测试pem文件
5. nginx配置ssl
-
增加443配置
server { listen 443 ssl; server_name www.example.com; # 证书 ssl_certificate /Users/maduar/demo/node/myapp/cert/cacert.pem; # 证书 key ssl_certificate_key /Users/maduar/demo/node/myapp/cert/privkey.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host:$server_port; proxy_pass http://localhost:3000; } } -
http转向443端口
server { listen 80; server_name www.example.com; rewrite ^/(.*)$ https://$host:443/$1 permanent; }
6. 测试
7. 问题总结
-
查错 - 检查access.log和error.log文件
-
access.log 查看运行时配置是否正确
-
error.log 查看错误
-
端口占用
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address already in use) -
证书出错
-
crt和key合并出错
PEM_read_bio:bad end line error -
证书路径出错
建议使用绝对地址
-
-
-
-
正式环境证书核验
反编译pem文件,检查证书生效日期,检查网址是否配置正确
8. 部分问题说明
-
http默认80端口,https默认443端口
http://www.example.com 与 http://www.example.com:80 相同https://www.example.com 与 http://www.example.com:443 相同 -
DNS指向问题
- 先配置服务器nginx
- server_name可指向服务器本地ip
- http重写rewrite使用$host,勿使用具体地址
- 服务器nginx配置好,测试完,DNS直接指向即可
- 先配置服务器nginx
9. 80和443端口,指向相同配置的简便配置
server {
# 一个server,同时配置两个端口,
listen 80;
listen 443 ssl;
server_name www.example.com;
# 其它配置与443配置相同。
# 。。。。
}
