nginx配置反向代理,並啟用SSL
摘要:
這裡使用let’s encrypt
的證書,使用cerboot安裝和更新證書。參考官網例子:
# 安裝cerboot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo ...
這裡使用let’s encrypt 的證書,使用cerboot安裝和更新證書。參考官網例子:
# 安裝cerboot $ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository universe $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot python-certbot-nginx $ sudo certbot --nginx #renewal, crontab * */12 * * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
配置nginx:
upstream localhost {
server 127.0.0.1:8080;
}
server {
listen 80;
server_name your-domain.com;
index index.html index.htm index.jsp index.php;
charset utf-8;
access_log /data1/log/nginx/access.log;
error_log/data1/log/nginx/error.log error;
# http -> https
location / {
return301https://$server_name$request_uri;
}
# validation for renew cert
location ~ /.well-known/acme-challenge/ {
root "/var/www/letsencrypt";
allow all;
}
}
server {
listen443 ssl http2;
server_name your-domain.com;
include /etc/nginx/snippets/letsencrypt.conf;
index index.html index.htm index.php;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your-domain/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
access_log /data1/log/nginx/access.log;
error_log/data1/log/nginx/error.log error;
location / {
proxy_pass http://localhost;
proxy_set_header X-Real-IP $remote_addr;
add_header X-Slave $upstream_addr;
}
}
Resources
- https://letsencrypt.org/getting-started/
- https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx