原文及更多文章请见个人博客:http://heartlifes.com
首先,nginx在编译安装时得安装ssl模块
上传ssl证书到服务器/usr/local/nginx/ssl/xxx.pfx
生成证书crt可key
openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -clcerts -nokeys -out /usr/local/nginx/ssl/xxx.crt
openssl pkcs12 -in /usr/local/nginx/ssl/xxx.pfx -nocerts -nodes -out /usr/local/nginx/ssl/xxx.rsa
验证证书正确性
openssl s_server -www -accept 443 -cert /usr/local/nginx/ssl/xxx.crt -key /usr/local/nginx/ssl/xxx.rsa
配置nginx
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /usr/local/nginx/ssl/xxx.crt;
ssl_certificate_key /usr/local/nginx/ssl/xxx.rsa;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location ~ /api/(.*) {
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Ssl on;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://serverAPI;
}
}