Last active
August 29, 2015 14:19
-
-
Save sandyxu/b00abe61767bbc311063 to your computer and use it in GitHub Desktop.
config and redirect all http to https in nginx
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| upstream ikcrm_www_development_unicorn { | |
| server unix:/tmp/unicorn.ikcrm_www_development.sock fail_timeout=0; | |
| } | |
| server { | |
| listen 80; | |
| server_name test.www.ikcrm.com; | |
| return 301 https://$server_name$request_uri; | |
| } | |
| server { | |
| listen 443; | |
| server_name test.www.ikcrm.com; | |
| ssl on; | |
| ssl_certificate /usr/local/nginx/config/server.crt; | |
| ssl_certificate_key /usr/local/nginx/config/server.key; | |
| ssl_session_timeout 5m; | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:HIGH:!aNULL:!MD5:!ADH:!DH; | |
| ssl_prefer_server_ciphers on; | |
| root /dyne/apps/ikcrm_www_development/current/public; | |
| # individual nginx logs for this ikcrm_www vhost | |
| access_log /var/log/nginx/ikcrm_www_access.log; | |
| error_log /var/log/nginx/ikcrm_www_error.log; | |
| location ^~ /assets/ { | |
| gzip_static on; | |
| expires max; | |
| add_header Cache-Control public; | |
| #add_header ETag ""; | |
| #break; | |
| } | |
| try_files $uri/index.html $uri @unicorn; | |
| location @unicorn { | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_redirect off; | |
| proxy_pass http://ikcrm_www_development_unicorn; | |
| } | |
| error_page 500 502 503 504 /500.html; | |
| client_max_body_size 4G; | |
| keepalive_timeout 10; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1.申请ssl证书
根据公司信息, 生成CSR https://www.trustasia.com/tools/csr-generator.htm 证书;
填写CSR证书和网站信息,申请 ssl证书(保存文件为 server.csr);
申请成功后邮件返回包括 公钥和私钥
把
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
的三段文字 保存到 server.crt 作为公钥文件
把
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
的文字保存为 server.key作为私钥文件
2.配置 nginx.conf
自动调整到https配置:
server {
listen 80;
server_name ik.vkelai.com;
return 301 https://$server_name$request_uri;
}
加密协议配置:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:HIGH:!aNULL:!MD5:!ADH:!DH;
3.openssl升级到最新版本
yum update openssl
openssl version # OpenSSL 1.0.1e-fips 11 Feb 2013
升级完成后:
nginx -s reload