nginx配置反向代理,並啟用SSL
這裡使用let’s encrypt 的證書,使用cerboot安裝和更新證書。參考官網例子:
# 安裝cerboot $ sudo apt-get update $ sudo apt-get install software-properties-common $ sudo add-apt-repository universe $ sudo add-apt-repository ppa:certbot/certbot $ sudo apt-get update $ sudo apt-get install certbot python-certbot-nginx $ sudo certbot --nginx #renewal, crontab * */12 * * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
配置nginx:
upstream localhost { server 127.0.0.1:8080; } server { listen 80; server_name your-domain.com; index index.html index.htm index.jsp index.php; charset utf-8; access_log /data1/log/nginx/access.log; error_log/data1/log/nginx/error.log error; # http -> https location / { return301https://$server_name$request_uri; } # validation for renew cert location ~ /.well-known/acme-challenge/ { root "/var/www/letsencrypt"; allow all; } } server { listen443 ssl http2; server_name your-domain.com; include /etc/nginx/snippets/letsencrypt.conf; index index.html index.htm index.php; charset utf-8; ssl_certificate /etc/letsencrypt/live/your-domain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/your-domain/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/your-domain/fullchain.pem; include /etc/nginx/snippets/ssl.conf; access_log /data1/log/nginx/access.log; error_log/data1/log/nginx/error.log error; location / { proxy_pass http://localhost; proxy_set_header X-Real-IP $remote_addr; add_header X-Slave $upstream_addr; } }
Resources
- https://letsencrypt.org/getting-started/
- https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx