nginx 配置 https 并强制跳转(lnmp一键安装包)
一、安装包安装大家按照官方说的安装即可。./install.sh lnmpa二、配置为域名 bbs.wzlinux.com 配置虚拟主机
# lnmp vhost add+-------------------------------------------+| Manager for LNMP, Written by Licess |+-------------------------------------------+| https://lnmp.org |+-------------------------------------------+Please enter domain(example: www.lnmp.org): bbs.wzlinux.com Your domain: bbs.wzlinux.comEnter more domain name(example: lnmp.org *.lnmp.org): Please enter the directory for the domain: bbs.wzlinux.comDefault directory: /home/wwwroot/bbs.wzlinux.com: Virtual Host Directory: /home/wwwroot/bbs.wzlinux.comAllow access log? (y/n) yEnter access log filename(Default:bbs.wzlinux.com.log): You access log filename: bbs.wzlinux.com.logPlease enter Administrator Email Address: wangzan18@126.comServer Administrator Email:wangzan18@126.comCreate database and MySQL user with same name (y/n) nAdd SSL Certificate (y/n) y1: Use your own SSL Certificate and Key2: Use Let's Encrypt to create SSL Certificate and KeyEnter 1 or 2: 2It will be processed automatically.Press any key to start create virtul host...Create Virtul Host directory......set permissions of Virtual Host directory......Test Nginx configure file......nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfulReload Nginx......Test Apache configure file...test apache configure... Syntax OK doneRestart Apache...graceful apache...done--2019-05-08 16:15:37--https://soft.vpser.net/lib/acme.sh/latest.tar.gzResolving soft.vpser.net (soft.vpser.net)... 50.93.201.152, 2600:3c01::f03c:91ff:fe92:1a06Connecting to soft.vpser.net (soft.vpser.net)|50.93.201.152|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 128963 (126K) Saving to: ‘latest.tar.gz’100%[==========================================================================================================================================================================================>] 128,963 296KB/s in 0.4s 2019-05-08 16:15:39 (296 KB/s) - ‘latest.tar.gz’ saved It is recommended to install socat first. We use socat for standalone server if you use standalone mode. If you don't use standalone mode, just ignore this warning. Installing to /usr/local/acme.sh Installed to /usr/local/acme.sh/acme.sh Installing alias to '/root/.bashrc' OK, Close and reopen your terminal to start using acme.sh Installing alias to '/root/.cshrc' Installing alias to '/root/.tcshrc' Installing cron jobno crontab for rootno crontab for root Good, bash is found, so change the shebang to use bash as preferred. OKRedirecting to /bin/systemctl restart crond.serviceNote: Forwarding request to 'systemctl enable crond.service'.Starting create SSL Certificate use Let's Encrypt... Registering account Registered ACCOUNT_THUMBPRINT='-cKHSTDQhjSIjWvO8OFcqx4cURrIDG88TaHlE_OkRDM' Creating domain key The domain key is here: /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key Single domain='bbs.wzlinux.com' Getting domain auth token for each domain Getting webroot for domain='bbs.wzlinux.com' Verifying: bbs.wzlinux.com Success Verify finished, start to sign. Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/56638729/438522172 Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/046b73070d79dd7f8275ef2ce8235ddab879 Cert success. Your cert is in/usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.cer Your cert key is in/usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key The intermediate CA cert is in/usr/local/nginx/conf/ssl/bbs.wzlinux.com/ca.cer And the full chain certs is there:/usr/local/nginx/conf/ssl/bbs.wzlinux.com/fullchain.cer Run reload cmd: /etc/init.d/nginx reloadReload service nginx...done Reload successLet's Encrypt SSL Certificate create successfully.Create dhparam.pem...Generating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time.........................................................................................................................................................................................................................................+....................................................................................+..............................................................................+..............................................................................+...............................................................................................................................+.....+.............................+...............................................................................................................................+......+.......................................+...........................................................................................................+.....................................................................................................................................................................................................................................................+.................................................................+.........................................................................+...................................................+....................................................................+......................................................................................+......................+.........+...................................................................+...................................+................................................................................................+...............................................................+......................................................................+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.........+.....................+....................++*++*Test Nginx configure file......nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfulReload Nginx......================================================Virtualhost infomation:Your domain: bbs.wzlinux.comHome Directory: /home/wwwroot/bbs.wzlinux.comEnable log: yesCreate database: noCreate ftp account: noEnable SSL: yes=>Let's Encrypt================================================
三、查看配置文件首先查看 Nginx 配置文件 /usr/local/nginx/conf/vhost/bbs.wzlinux.com.conf,我们看到 http 和 https 都是可以访问的。
server { listen 80; #listen [::]:80; server_name bbs.wzlinux.com ; index index.html index.htm index.php default.html default.htm default.php; root/home/wwwroot/bbs.wzlinux.com; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } include proxy-pass-php.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } access_log/home/wwwlogs/bbs.wzlinux.com.log; }server { listen 443 ssl http2; #listen [::]:443 ssl http2; server_name bbs.wzlinux.com ; index index.html index.htm index.php default.html default.htm default.php; root/home/wwwroot/bbs.wzlinux.com; ssl on; ssl_certificate /usr/local/nginx/conf/ssl/bbs.wzlinux.com/fullchain.cer; ssl_certificate_key /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5"; ssl_session_cache builtin:1000 shared:SSL:10m; # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048 ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem; #error_page 404 /404.html; # Deny access to PHP files in specific directory #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; } include proxy-pass-php.conf; location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$ { expires 30d; } location ~ .*\.(js|css)?$ { expires 12h; } location ~ /.well-known { allow all; } location ~ /\. { deny all; } access_log/home/wwwlogs/bbs.wzlinux.com.log; }3.1、设定强制跳转 https方法1:可以在server 80 里面添加一个一个重定向。
rewrite ^(.*)$https://$host$1 permanent;或者
server_name bbs.wzlinux.com;rewrite ^(.*)$https://$server_name$1 permanent;或者
listen 80;server_name bbs.wzlinux.com bbs1.wzlinux.com bbs2.wzlinux.com;if ($host != 'bbs.wzlinux.com') { rewrite ^/(.*)$ https://bbs.wzlinux.com/$1 permanent; }或者
if ($http_x_forwarded_proto != "https") { rewrite^/(.*)$https://$host/$1 permanent; }或者
if ($server_port !~ 443){ rewrite ^(/.*)$ https://$host$1 permanent; }或者使用 return
if ($server_port = 80 ) { return 301 https://$host$request_uri; }或者
return 301 https://$host$request_uri;3.2 Rewrite 常用全局变量举例变量说明$args 存放了请求url中的请求指令。比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的arg1=value1&arg2=value2$content_length 存放请求头中的Content-length字段$content_type 存放了请求头中的Content-type字段$document_root存放了针对当前请求的根路径$document_uri 请求中的uri,不包含请求指令 ,比如比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的/server/source$host 存放了请求url中的主机字段,比如比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的www.myweb.name。如果请求中的主机部分字段不可用或者为空,则存放nginx配置中该server块中server_name指令的配置值$http_user_agent 存放客户端的代理$http_cookie cookie$limit_rate nginx配置中limit_rate指令的配置值$remote_addr 客户端的地址$remote_port 客户端与服务器端建立连接的端口号$remote_user 变量中存放了客户端的用户名$request_body_file存放了发给后端服务器的本地文件资源的名称$request_method 存放了客户端的请求方式,如get,post等$request_filename 存放当前请求的资源文件的路径名$requset_uri 当前请求的uri,并且带有指令$query_string $args含义相同$scheme 客户端请求使用的协议,如http,https,ftp等$server_protocol 客户端请求协议的版本,如”HTTP/1.0”,”HTTP/1.1”$server_addr 服务器的地址$server_name 客户端请求到达的服务器的名称$server_port 客户端请求到达的服务器的端口号$uri 同 $document_uri
页:
[1]