Nginx rewrite配置https
rewrite实现http跳转https
生成证书
创建私有证书
生成证书文件
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509-days 3650 -out ca.crt
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:weirui.Ltd
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.weirui.org
Email Address []:
生成key和csr文件
#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.weirui.vip.key -out www.weirui.vip.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) [Default City]:shanghai
Organization Name (eg, company) [Default Company Ltd]:weirui.vip
Organizational Unit Name (eg, section) []:weirui.vip
Common Name (eg, your name or your server's hostname) []:weirui.vip
Email Address []:1655841639@qq.com
A challenge password []:
An optional company name []:
签发证书
#openssl x509 -req -days 3650 -in www.weirui.vip.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.weirui.vip.crt
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=weirui.vip/OU=weirui.vip/CN=weirui.vip/emailAddress=1655841639@qq.com
Getting CA Private Key
合并CA和服务器证书成一个文件,注意服务器证书在前
#cat www.weirui.vip.crt ca.crt > weirui.crt
查看证书内容
#openssl x509 -in www.weirui.vip.crt -noout -text
nginx配置
方式一
#cat /apps/nginx-1.18.0/conf.d/hsts.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx-1.18.0/certs/www.weirui.vip.crt;
ssl_certificate_key /apps/nginx-1.18.0/certs/www.weirui.vip.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.weirui.vip;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location / {
root /apps/nginx-1.18.0/html;
if ( $scheme = http ) {
rewrite ^/(.*)$ https://www.weirui.vip/$1 redirect;
}
}
}
方式二
#cat /apps/nginx-1.18.0/conf.d/https.conf
server {
listen 443 ssl;
server_name www.weirui.vip;
ssl on;
ssl_certificate /apps/nginx-1.18.0/certs/www.weirui.vip.crt;
ssl_certificate_key /apps/nginx-1.18.0/certs/www.weirui.vip.key;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /apps/nginx-1.18.0/certs/weirui.crt;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
add_header Strict-Transport-Security max-age=15768000;
root /apps/nginx-1.18.0/html;
}
server {
listen 80;
server_name www.weirui.vip;
return 301 https://$host$request_uri;
location / {
echo "$server_name:$server_port"; #需要echo第三方模块,使用curl验证跳转https
}
}
验证
#curl http://www.weirui.vip -I
HTTP/1.1 302 Moved Temporarily
Server: nginx/8.8.0
Date: Sat, 19 Mar 2022 11:32:44 GMT
Content-Type: text/html
Content-Length: 144
Connection: keep-alive
Location: https://www.weirui.vip/
Strict-Transport-Security: max-age=31536000; includeSubDomains
#curl http://www.weirui.vip -ILk
HTTP/1.1 302 Moved Temporarily
Server: nginx/8.8.0
Date: Sat, 19 Mar 2022 11:35:40 GMT
Content-Type: text/html
Content-Length: 144
Connection: keep-alive
Location: https://www.weirui.vip/
Strict-Transport-Security: max-age=31536000; includeSubDomains
HTTP/1.1 200 OK
Server: nginx/8.8.0
Date: Sat, 19 Mar 2022 11:35:41 GMT
Content-Type: text/html
Content-Length: 16
Last-Modified: Sat, 19 Mar 2022 07:44:47 GMT
Connection: keep-alive
ETag: "623589ef-10"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Accept-Ranges: bytes
