SSL_PATH=.
#利用openssl生成key秘钥
openssl genrsa -des3 -out ${SSL_PATH}/darebeat.cn.key 1024
# 创建csr证书
## 需要输入一系列的信息。输入的信息中最重要的为Common Name,这里输入的域名即为我们要使用https访问的域名
## 可以使用泛域名如*.webkaka.com来生成所有二级域名可用的网站证书
openssl req -new -key ${SSL_PATH}/darebeat.cn.key -out ${SSL_PATH}/darebeat.cn.csr
# 去除密码
## 在加载SSL支持的Nginx并使用上述私钥时除去必须的口令,否则会在启动nginx的时候需要输入密码
cp ${SSL_PATH}/darebeat.cn.key ${SSL_PATH}/darebeat.cn.key.org
openssl rsa -in ${SSL_PATH}/darebeat.cn.key.org -out ${SSL_PATH}/darebeat.cn.key
# 生成crt证书
## 方法一
openssl x509 -req -days 3650 \
-in ${SSL_PATH}/darebeat.cn.csr \
-signkey ${SSL_PATH}/darebeat.cn.key \
-out ${SSL_PATH}/darebeat.cn.crt
## 方法二
## 也可以直接用key生成crt文件,keyout会重新生成.key文件,重启nginx的时候就不需要输入密码了
openssl req -days 36500 -x509 -sha256 -nodes -newkey rsa:2048 \
-keyout ${SSL_PATH}/darebeat.cn.key \
-out ${SSL_PATH}/darebeat.cn.crt
nginx配置
server {
listen 443 ssl;
server_name blog.darebeat.cn;
# 请求Http资源报错blocked mixed-content
add_header Content-Security-Policy upgrade-insecure-requests;
ssl_certificate ${SSL_PATH}/darebeat.cn.crt;
ssl_certificate_key ${SSL_PATH}/darebeat.cn.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv2 SSLv3;
ssl_prefer_server_ciphers on;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_session_timeout 5m;
server_tokens off;
location / {
proxy_pass http://darebeat;
}
location ~ .* {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://darebeat;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
