Skip to content

Instantly share code, notes, and snippets.

@sandyxu
Last active August 29, 2015 14:19
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save sandyxu/b00abe61767bbc311063 to your computer and use it in GitHub Desktop.
Save sandyxu/b00abe61767bbc311063 to your computer and use it in GitHub Desktop.
config and redirect all http to https in nginx
upstream ikcrm_www_development_unicorn {
server unix:/tmp/unicorn.ikcrm_www_development.sock fail_timeout=0;
}
server {
listen 80;
server_name test.www.ikcrm.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443;
server_name test.www.ikcrm.com;
ssl on;
ssl_certificate /usr/local/nginx/config/server.crt;
ssl_certificate_key /usr/local/nginx/config/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:HIGH:!aNULL:!MD5:!ADH:!DH;
ssl_prefer_server_ciphers on;
root /dyne/apps/ikcrm_www_development/current/public;
# individual nginx logs for this ikcrm_www vhost
access_log /var/log/nginx/ikcrm_www_access.log;
error_log /var/log/nginx/ikcrm_www_error.log;
location ^~ /assets/ {
gzip_static on;
expires max;
add_header Cache-Control public;
#add_header ETag "";
#break;
}
try_files $uri/index.html $uri @unicorn;
location @unicorn {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://ikcrm_www_development_unicorn;
}
error_page 500 502 503 504 /500.html;
client_max_body_size 4G;
keepalive_timeout 10;
}
@sandyxu
Copy link
Author

sandyxu commented Apr 27, 2015

1.申请ssl证书
根据公司信息, 生成CSR https://www.trustasia.com/tools/csr-generator.htm 证书;
填写CSR证书和网站信息,申请 ssl证书(保存文件为 server.csr);
申请成功后邮件返回包括 公钥和私钥

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
的三段文字 保存到 server.crt 作为公钥文件


-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
的文字保存为 server.key作为私钥文件

2.配置 nginx.conf
自动调整到https配置:
server {
listen 80;
server_name ik.vkelai.com;
return 301 https://$server_name$request_uri;
}
加密协议配置:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:HIGH:!aNULL:!MD5:!ADH:!DH;

3.openssl升级到最新版本
yum update openssl
openssl version # OpenSSL 1.0.1e-fips 11 Feb 2013
升级完成后:
nginx -s reload

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment