Skip to content

一、申请SSL证书

使用Let's Encrypt免费证书(推荐)​​

安装Certbot工具

# Ubuntu/Debian
sudo apt update
sudo apt upgrade 
sudo apt install certbot python3-certbot-nginx

# CentOS/RHEL
sudo yum install epel-release
sudo yum install certbot python3-certbot-nginx

手动生成证书

此处使用example.com域名做示范,实际使用时请替换成自己的域名。

sudo certbot certonly --nginx -d example.com

按提示输入邮箱、同意协议。 证书路径:/etc/letsencrypt/archive/

Nginx配置使用生成的证书

# 强制 HTTP 跳转到 HTTPS
server {
    listen 80;
    server_name example.com www.example.com;
    return 301 https://$host$request_uri;  # 301 永久重定向
}



server {
        listen 443 ssl;
        access_log on;
        server_name example.com www.example.com; #只允许这两个域名的访问,其他域名或ip都不允许访问。
        access_log /var/log/nginx/example.access.log;
        error_log /var/log/nginx/example.error.log;

        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_prefer_server_ciphers off;
        ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
        resolver 1.1.1.1 8.8.4.4 8.8.8.8 valid=300s;
        resolver_timeout 10s;
        ssl_session_cache shared:SSL:32m;
        ssl_session_timeout 10m;

        #配置ssl证书
        ssl_certificate /etc/letsencrypt/archive/example.com/fullchain1.pem;
        ssl_certificate_key /etc/letsencrypt/archive//example.com/privkey1.pem;

        location / {
                root /var/www/site;
                index index.html;

        }

        #负载均衡后端api访问。
       location /api {
               proxy_pass http://127.0.0.1:5000;  # 注意结尾的斜杠(会去除/api前缀)
               proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;  # 获取真实客户端IP[2,4](@ref)
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
       }

}