二级域名带ssl证书代理
在nginx配置文件,增加代理配置服务
server { listen 443 ssl; #SSL协议访问端口号为443。此处如未添加ssl,可能会造成Nginx无法启动。 server_name api.dshvv.com; #二级域名。 root html; index index.html index.htm; ssl_certificate /home/ssl/dshvv.pem; #将domain name.pem替换成您证书的文件名。 ssl_certificate_key /home/ssl/dshvv.key; #将domain name.key替换成您证书的密钥文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。 ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } }
意思是 遇到api.dshvv.com请求的时候,将代理至本地的7777服务。
需要注意的是,需要在域名服务上,开启二级域名的解析
普通二级域名配置
因为ssl证书是针对以及域名的,二级域名提示无效风险,但是不影响使用,也就是说二级域名用https请求会提示ssl证书无效
阿里有统配子域名的证书,但是要花钱,每年1-2k,还是算了。但是我们可以分别声情,这是免费的
如果二级域名不配置证书,代理可以做如下新增
server { listen 80; server_name api.dshvv.com; #二级域名。 root html; index index.html index.htm; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } }
当然最好还是都加上,两种配置都写上,这样使用的时候有的选择
最优方案
1、配置两个域名证书
2、同时支持http和https
一下是最终的配置文件
#user nobody; worker_processes 1; #error_log logs/error.log; #error_log logs/error.log notice; #error_log logs/error.log info; #pid logs/nginx.pid; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; server { listen 443 ssl; #SSL协议访问端口号为443。此处如未添加ssl,可能会造成Nginx无法启动。 server_name localhost; #将localhost修改为您证书绑定的域名,例如:www.example.com。 root html; index index.html index.htm; ssl_certificate /home/ssl/dshvv.com_nginx/cert.pem; #将domain name.pem替换成您证书的文件名。 ssl_certificate_key /home/ssl/dshvv.com_nginx/cert.key; #将domain name.key替换成您证书的密钥文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。 ssl_prefer_server_ciphers on; location / { root html; #站点目录。 index index.html index.htm; } } server { listen 443 ssl; #SSL协议访问端口号为443。此处如未添加ssl,可能会造成Nginx无法启动。 server_name api.dshvv.com; #二级域名。 root html; index index.html index.htm; ssl_certificate /home/ssl/api.dshvv.com_nginx/cert.pem; #将domain name.pem替换成您证书的文件名。 ssl_certificate_key /home/ssl/api.dshvv.com_nginx/cert.key; #将domain name.key替换成您证书的密钥文件名。 ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #使用此加密套件。 ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。 ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { root html; index index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ .php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # #location ~ .php$ { # root html; # fastcgi_pass 127.0.0.1:9000; # fastcgi_index index.php; # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; # include fastcgi_params; #} # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /.ht { # deny all; #} } server { listen 80; server_name api.dshvv.com; #二级域名。 root html; index index.html index.htm; location / { proxy_pass http://127.0.0.1:7777; #代理地址 proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Port $server_port; } } # another virtual host using mix of IP-, name-, and port-based configuration # #server { # listen 8000; # listen somename:8080; # server_name somename alias another.alias; # location / { # root html; # index index.html index.htm; # } #} # HTTPS server # #server { # listen 443 ssl; # server_name localhost; # ssl_certificate cert.pem; # ssl_certificate_key cert.key; # ssl_session_cache shared:SSL:1m; # ssl_session_timeout 5m; # ssl_ciphers HIGH:!aNULL:!MD5; # ssl_prefer_server_ciphers on; # location / { # root html; # index index.html index.htm; # } #} }