HTTPS 服务

如果不使用 HTTPS 服务:

  • 传输数据会被中间人盗用,信息泄漏
  • 数据内容劫持、篡改

强制跳转

无 www 跳转至有 www

server {
listen 80;
server_name example.com;
return 301 http://www.example.com$request_uri;
}
server {
listen 80;
server_name www.example.com;
location / {
proxy_pass http://localhost:8080;
proxy_set_header X-Forwared-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}

HTTP 跳转至 HTTPS

HTTP 默认端口强制跳转 HTTPS 配置

server {
listen 80;
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl;
}

基本配置

server {
listen 80;
listen 443 ssl http2 default_server;
# 公钥,发送到连接服务器的客户端
ssl_certificate cert/example.com.pem;
# 私钥,权限要得到保护但 Nginx 的主进程能够读取
ssl_certificate_key cert/example.com.key;
# 设置 SSL/TLS 会话缓存的类型和大小
ssl_session_cache shared:SSL:10m;
# 客户端可以重用会话缓存中 SSL 参数的过期时间
ssl_session_timeout 10m;
ssl_protocols SSLv2 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
server_name m.example.com;
location /test/ {
proxy_pass https://h5.example.com;
rewrite /test/(.*) /$1 break;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location / {
proxy_pass https://m.example.com;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
access_log /var/log/nginx/example.access.log main;
}

参考资料: