nginx 配置 https 并强制跳转(lnmp一键安装包)

liubulong

一、安装包安装大家按照官方说的安装即可。
./install.sh lnmpa二、配置为域名 bbs.wzlinux.com 配置虚拟主机
[root@test ~]# lnmp vhost add+-------------------------------------------+|    Manager for LNMP, Written by Licess    |+-------------------------------------------+|              https://lnmp.org             |+-------------------------------------------+Please enter domain(example: www.lnmp.org): bbs.wzlinux.com Your domain: bbs.wzlinux.comEnter more domain name(example: lnmp.org *.lnmp.org): Please enter the directory for the domain: bbs.wzlinux.comDefault directory: /home/wwwroot/bbs.wzlinux.com: Virtual Host Directory: /home/wwwroot/bbs.wzlinux.comAllow access log? (y/n) yEnter access log filename(Default:bbs.wzlinux.com.log): You access log filename: bbs.wzlinux.com.logPlease enter Administrator Email Address: wangzan18@126.comServer Administrator Email:wangzan18@126.comCreate database and MySQL user with same name (y/n) nAdd SSL Certificate (y/n) y1: Use your own SSL Certificate and Key2: Use Let's Encrypt to create SSL Certificate and KeyEnter 1 or 2: 2It will be processed automatically.Press any key to start create virtul host...Create Virtul Host directory......set permissions of Virtual Host directory......Test Nginx configure file......nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfulReload Nginx......Test Apache configure file...test apache configure... Syntax OK doneRestart Apache...graceful apache...  done--2019-05-08 16:15:37--  https://soft.vpser.net/lib/acme.sh/latest.tar.gzResolving soft.vpser.net (soft.vpser.net)... 50.93.201.152, 2600:3c01::f03c:91ff:fe92:1a06Connecting to soft.vpser.net (soft.vpser.net)|50.93.201.152|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 128963 (126K) [application/octet-stream]Saving to: ‘latest.tar.gz’100%[==========================================================================================================================================================================================>] 128,963      296KB/s   in 0.4s   2019-05-08 16:15:39 (296 KB/s) - ‘latest.tar.gz’ saved [128963/128963][Wed May  8 16:15:39 CST 2019] It is recommended to install socat first.[Wed May  8 16:15:39 CST 2019] We use socat for standalone server if you use standalone mode.[Wed May  8 16:15:39 CST 2019] If you don't use standalone mode, just ignore this warning.[Wed May  8 16:15:39 CST 2019] Installing to /usr/local/acme.sh[Wed May  8 16:15:39 CST 2019] Installed to /usr/local/acme.sh/acme.sh[Wed May  8 16:15:39 CST 2019] Installing alias to '/root/.bashrc'[Wed May  8 16:15:39 CST 2019] OK, Close and reopen your terminal to start using acme.sh[Wed May  8 16:15:39 CST 2019] Installing alias to '/root/.cshrc'[Wed May  8 16:15:39 CST 2019] Installing alias to '/root/.tcshrc'[Wed May  8 16:15:39 CST 2019] Installing cron jobno crontab for rootno crontab for root[Wed May  8 16:15:39 CST 2019] Good, bash is found, so change the shebang to use bash as preferred.[Wed May  8 16:15:39 CST 2019] OKRedirecting to /bin/systemctl restart crond.serviceNote: Forwarding request to 'systemctl enable crond.service'.Starting create SSL Certificate use Let's Encrypt...[Wed May  8 16:15:41 CST 2019] Registering account[Wed May  8 16:15:43 CST 2019] Registered[Wed May  8 16:15:43 CST 2019] ACCOUNT_THUMBPRINT='-cKHSTDQhjSIjWvO8OFcqx4cURrIDG88TaHlE_OkRDM'[Wed May  8 16:15:43 CST 2019] Creating domain key[Wed May  8 16:15:43 CST 2019] The domain key is here: /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key[Wed May  8 16:15:43 CST 2019] Single domain='bbs.wzlinux.com'[Wed May  8 16:15:43 CST 2019] Getting domain auth token for each domain[Wed May  8 16:15:44 CST 2019] Getting webroot for domain='bbs.wzlinux.com'[Wed May  8 16:15:45 CST 2019] Verifying: bbs.wzlinux.com[Wed May  8 16:15:48 CST 2019] Success[Wed May  8 16:15:48 CST 2019] Verify finished, start to sign.[Wed May  8 16:15:48 CST 2019] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt ... /56638729/438522172[Wed May  8 16:15:50 CST 2019] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt ... 275ef2ce8235ddab879[Wed May  8 16:15:50 CST 2019] Cert success.[Wed May  8 16:15:50 CST 2019] Your cert is in  /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.cer [Wed May  8 16:15:50 CST 2019] Your cert key is in  /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key [Wed May  8 16:15:50 CST 2019] The intermediate CA cert is in  /usr/local/nginx/conf/ssl/bbs.wzlinux.com/ca.cer [Wed May  8 16:15:50 CST 2019] And the full chain certs is there:  /usr/local/nginx/conf/ssl/bbs.wzlinux.com/fullchain.cer [Wed May  8 16:15:51 CST 2019] Run reload cmd: /etc/init.d/nginx reloadReload service nginx...  done[Wed May  8 16:15:51 CST 2019] Reload successLet's Encrypt SSL Certificate create successfully.Create dhparam.pem...Generating DH parameters, 2048 bit long safe prime, generator 2This is going to take a long time.........................................................................................................................................................................................................................................+....................................................................................+..............................................................................+..............................................................................+...............................................................................................................................+.....+.............................+...............................................................................................................................+......+.......................................+...........................................................................................................+.....................................................................................................................................................................................................................................................+.................................................................+.........................................................................+...................................................+....................................................................+......................................................................................+......................+.........+...................................................................+...................................+................................................................................................+...............................................................+......................................................................+...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.........+.....................+....................++*++*Test Nginx configure file......nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is oknginx: configuration file /usr/local/nginx/conf/nginx.conf test is successfulReload Nginx......================================================Virtualhost infomation:Your domain: bbs.wzlinux.comHome Directory: /home/wwwroot/bbs.wzlinux.comEnable log: yesCreate database: noCreate ftp account: noEnable SSL: yes  =>Let's Encrypt================================================
三、查看配置文件首先查看 Nginx 配置文件 /usr/local/nginx/conf/vhost/bbs.wzlinux.com.conf，我们看到 http 和 https 都是可以访问的。
server    {        listen 80;        #listen [::]:80;        server_name bbs.wzlinux.com ;        index index.html index.htm index.php default.html default.htm default.php;        root  /home/wwwroot/bbs.wzlinux.com;        #error_page   404   /404.html;        # Deny access to PHP files in specific directory        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }        include proxy-pass-php.conf;        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$        {            expires      30d;        }        location ~ .*\.(js|css)?$        {            expires      12h;        }        location ~ /.well-known {            allow all;        }        location ~ /\.        {            deny all;        }        access_log  /home/wwwlogs/bbs.wzlinux.com.log;    }server    {        listen 443 ssl http2;        #listen [::]:443 ssl http2;        server_name bbs.wzlinux.com ;        index index.html index.htm index.php default.html default.htm default.php;        root  /home/wwwroot/bbs.wzlinux.com;        ssl on;        ssl_certificate /usr/local/nginx/conf/ssl/bbs.wzlinux.com/fullchain.cer;        ssl_certificate_key /usr/local/nginx/conf/ssl/bbs.wzlinux.com/bbs.wzlinux.com.key;        ssl_session_timeout 5m;        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;        ssl_prefer_server_ciphers on;        ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";        ssl_session_cache builtin:1000 shared:SSL:10m;        # openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048        ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;        #error_page   404   /404.html;        # Deny access to PHP files in specific directory        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }        include proxy-pass-php.conf;        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$        {            expires      30d;        }        location ~ .*\.(js|css)?$        {            expires      12h;        }        location ~ /.well-known {            allow all;        }        location ~ /\.        {            deny all;        }        access_log  /home/wwwlogs/bbs.wzlinux.com.log;    }3.1、设定强制跳转 https方法1：可以在server 80 里面添加一个一个重定向。
rewrite ^(.*)$  https://$host$1 permanent;或者
server_name bbs.wzlinux.com;rewrite ^(.*)$  https://$server_name$1 permanent;或者
listen 80;server_name bbs.wzlinux.com bbs1.wzlinux.com bbs2.wzlinux.com;if ($host != 'bbs.wzlinux.com') {      rewrite ^/(.*)$ https://bbs.wzlinux.com/$1 permanent;    }或者
if ($http_x_forwarded_proto != "https")        {            rewrite  ^/(.*)$  https://$host/$1 permanent;        }或者
if ($server_port !~ 443){        rewrite ^(/.*)$ https://$host$1 permanent;    }或者使用 return
if ($server_port = 80 ) {                return 301 https://$host$request_uri;        }或者
return 301 https://$host$request_uri;3.2 Rewrite 常用全局变量举例变量  说明$args   存放了请求url中的请求指令。比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的arg1=value1&arg2=value2$content_length 存放请求头中的Content-length字段$content_type   存放了请求头中的Content-type字段$document_root  存放了针对当前请求的根路径$document_uri   请求中的uri,不包含请求指令 ，比如比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的/server/source$host   存放了请求url中的主机字段，比如比如http://www.myweb.name/server/source?arg1=value1&arg2=value2中的www.myweb.name。如果请求中的主机部分字段不可用或者为空，则存放nginx配置中该server块中server_name指令的配置值$http_user_agent    存放客户端的代理$http_cookie    cookie$limit_rate nginx配置中limit_rate指令的配置值$remote_addr    客户端的地址$remote_port    客户端与服务器端建立连接的端口号$remote_user    变量中存放了客户端的用户名$request_body_file  存放了发给后端服务器的本地文件资源的名称$request_method 存放了客户端的请求方式，如get,post等$request_filename   存放当前请求的资源文件的路径名$requset_uri    当前请求的uri,并且带有指令$query_string   $args含义相同$scheme 客户端请求使用的协议，如http,https,ftp等$server_protocol    客户端请求协议的版本，如”HTTP/1.0”,”HTTP/1.1”$server_addr    服务器的地址$server_name    客户端请求到达的服务器的名称$server_port    客户端请求到达的服务器的端口号$uri    同 $document_uri