本地生成证书,生产环境建议购买证书,生成步骤本文不做描述,生成的证书可以保存起来,以后直接用,不需要每次都重新生成
#user nobody; worker_processes 1;
#error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info;
#pid logs/nginx.pid;
events { worker_connections 1024; }
http { include mime.types; default_type application/octet-stream; proxy_headers_hash_bucket_size 256; types_hash_bucket_size 256;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
server {
listen 80;
listen [::]:80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root /opt/nginx-html/web/front;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
# HTTPS server
server {
listen 443 ssl;
server_name 192.168.3.60;
ssl_certificate /usr/local/nginx/ssl_key/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl_key/nginx.nopass.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location /api/ {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Remote_addr $remote_addr;
proxy_pass http://192.168.3.67:30701/;
}
}
server {
#监听端口
listen 8888 ssl;
server_name xxx.com;
#SSL-INFO-START
ssl_certificate /usr/local/nginx/ssl_key/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl_key/nginx.nopass.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
location / {
proxy_pass http://websocket;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_http_version 1.1;
}
access_log xxx.log;
error_log xxx.log;
}
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream websocket {
#这里是服务器开放的端口
server 192.168.3.66:8105;
}
}
