原创

一个ip同一个nginx配置多个ssl证书支持多个https主机

配置安装支持多个ssl

1.首先把多个域名dns解析到同一个服务器上

这是我的3个域名 www.fireflyi.com我的博客主页,blogadmin.fireflyi.com,博客后台,blogstatic.fireflyi.com静态资源服务

2.阿里云申请ssl证书,先购买在去绑定,验证,下载证书就好了
3.我这里下载的是nginx的证书
4.Nginx支持多域名SSL证书 需要支持TLS协议的SNI扩展(Server Name Indication),首先本地的OpenSSL必须支持它,如果启用了SSL支持,nginx便会自动识别OpenSSL并启用SNI
5.CentOS5.X的OpenSSL库本身不支持这种特性需要自己重新编译,我用的CentOS7自带支持不需要编译,安装的nginx1.16版本并且是直接开启了
6.如果不支持就重新编译吧
7.先去下载wget https://www.openssl.org/source/openssl-1.0.1e.tar.gz 如果失效了就自己去下新的https://www.openssl.org/source/

8.tar -zxvf openssl-1.0.1e.tar.gz
9.  ./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-openssl=./openssl-1.0.1e --with-openssl-opt="enable-tlsext"
10.  make && make install

11.查看是否启用

[root@bogon ~]# nginx -V
TLS SNI support enabled

12.可以进行配置了,下面贴一下我的博客的3个https的配置

我的博客相关配置参考

博客首页配置

upstream blog {
                server 127.0.0.1:8081  weight=1 max_fails=2 fail_timeout=30s;
}
server {
       listen 443 ssl ;
       server_name www.fireflyi.com fireflyi.com;
       #ssl on;此指令已经废除了
       ssl_certificate aliy_fireflyi.com.pem;
       ssl_certificate_key aliy_fireflyi.com.key;
       ssl_session_timeout 5m;
       ssl_protocols TLSv1.3 TLSv1.1 TLSv1.2; #官方解释在未来我们的安全评级也将对TLS1.0做出合适的降级处理,在评估兼容性影响后,还是建议大家关闭TLS1.0, 现在TLS1.3都出来了,未来主流应该是TLS1.2+TLS1.3
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
       #fastcgi_param   HTTPS               on;
        #fastcgi_param   HTTP_SCHEME         https;
        ssl_prefer_server_ciphers on;

        location  / {
                proxy_next_upstream     http_500 http_502 http_503 http_504 error timeout invalid_header;
                proxy_set_header        Host  $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass              http://blog;
                expires                 0;
              # root   /usr/share/nginx/html/fireflyi/;
        }
        index  index.html index.php;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}

博客后台配置,同时转发了websocket请求

upstream blogadmin {
                server 127.0.0.1:8082  weight=1 max_fails=2 fail_timeout=30s;
}
upstream blogadminWebscoket {
                server 127.0.0.1:8082  weight=1 max_fails=2 fail_timeout=30s;
}
server {
       listen 443 ssl ;
       server_name blogadmin.fireflyi.com ;
       #ssl on;此指令已经废除了
       ssl_certificate aliy_blogadmin.fireflyi.com.pem;
       ssl_certificate_key aliy_blogadmin.fireflyi.com.key;
       ssl_session_timeout 5m;
       ssl_protocols TLSv1.3 TLSv1.1 TLSv1.2; #按照这个协议配置
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
       #fastcgi_param   HTTPS               on;
        #fastcgi_param   HTTP_SCHEME         https;
        ssl_prefer_server_ciphers on;
        location /websocket {
                # proxy_pass http://127.0.0.1:8082;
                proxy_pass http://blogadminWebscoket;
                proxy_http_version 1.1;
                proxy_connect_timeout 5s;
                proxy_read_timeout 150s;
                proxy_send_timeout 10s;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header X-Real-IP $remote_addr;
        }

        location  / {
                proxy_next_upstream     http_500 http_502 http_503 http_504 error timeout invalid_header;
                proxy_set_header        Host  $host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass              http://blogadmin;
                expires                 0;
               #root   /usr/share/nginx/html/blogadmin/;
        }
        index  index.html index.php;
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
}

静态资源服务配置

upstream blogstatic {
                server 127.0.0.1:80  weight=1 max_fails=2 fail_timeout=30s;
}
server {
    listen 443 ssl;
    server_name blogstatic.fireflyi.com;
    ssl_certificate aliy_blogstatic.fireflyi.com.pem;
    ssl_certificate_key aliy_blogstatic.fireflyi.com.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.3 TLSv1.1 TLSv1.2; #官方解释在未来我们的安全评级也将对TLS1.0做出合适的降级处理,在评估兼容性影响后,还是建议大家关闭TLS1.0, 现在TLS1.3都出来了,未来主流应该是TLS1.2+TLS1.3
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
    ssl_prefer_server_ciphers on;

    root /usr/share/nginx/html/blogstatic/;
    error_page 403 /error.html;
    location = /error.html {
            return 404;
    }
    autoindex off;
    autoindex_exact_size off;
    autoindex_localtime off;

    location ~.*\.(woff2|woff|ttf|jpg|jpeg|gif|png|swf|flv|wma|wmv|asf|mp3|mmf|zip|rar|js|css)$ {
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,C    ache-Control,Content-Type,Authorization';

        expires 30d;
        access_log off;
        valid_referers none blocked  fireflyi.com blogstatic.fireflyi.com  blogadmin.fireflyi.com www.fireflyi.com;
        if ($invalid_referer) {
            return 404;
            #rewrite ^/ http://www.aa.com/oneblog/4404.jpg;
        }
    }
}

表白主体服务配置

server {
       listen 443 ssl ;
       server_name love.fireflyi.com ;
       #ssl on;此指令已经废除了
       ssl_certificate aliy_love.fireflyi.com.pem;
       ssl_certificate_key aliy_love.fireflyi.com.key;
       ssl_session_timeout 5m;
       ssl_protocols TLSv1.3 TLSv1.1 TLSv1.2; #按照这个协议配置
       ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
       #fastcgi_param   HTTPS               on;
        #fastcgi_param   HTTP_SCHEME         https;
        ssl_prefer_server_ciphers on;

        location ~ .*\/(\d+)$ {
                proxy_pass  http://127.0.0.1:8081/love/$1  ;
        }

           location / {
                proxy_pass  http://127.0.0.1:8081/love/99  ;
                }
        }

上面我都是用的反向代理方式配置的,不用按照我的配置来,随意发挥适合自己的项目就行

正文到此结束
本文目录