How to configure nginx ssl
1. Get a Certificate
Create an SSL certificate. These commands are for a self-signed certificate, but you should get an officially signed certificate if you want to avoid browser warnings.
Move into the proper directory and generate a certificate:
cd /etc/nginx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
You will be prompted to enter some information about the certificate. You can fill this out however you'd like; just be aware the information will be visible in the certificate properties. We've set the number of bits to 2048 since that's the minimum needed to get it signed by a CA. If you want to get the certificate signed, you will need to create a CSR.
2. Edit the Configuration
Edit /etc/nginx/nginx.conf, here is the example , it will forward request(https://9.110.214.172:9084/) to https:www.baidu.com
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 265;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# This section tells the Nginx server to listen to any requests that come in on port 80 (default HTTP) and redirect them to HTTPS.
# server {
# listen 80;
# return 301 https://$host$request_uri;
# }
server {
keepalive_requests 240;
listen 443; # nginx server docker container port
server_name 9.110.214.172; # nginx server host ip
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location /{
#proxy_ssl_verify off;
if ($request_method = OPTIONS ) {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'POST,GET,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'maxauth,x-method-override,patchtype,content-type,accept';
#proxy_pass http://9.212.148.172:9080;
proxy_pass https://www.baidu.com;
return 200;
}
if ($request_method != OPTIONS ){
# add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'POST,GET,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'maxauth,x-method-override,patchtype,content-type,accept';
#proxy_pass http://9.212.148.172:9080;
proxy_pass https://www.baidu.com;
}
}
}
}
3. Copy cert.key and cert.crt to nginx container folder /etc/nginx
4. Start docker container
docker run --name nginx_CAMP -d -p 9084:443 --restart unless-stopped nginx
5. Replacing nginx.conf with above file
6. Access http://9.110.214.172:9084/ to verify
1. Get a Certificate
Create an SSL certificate. These commands are for a self-signed certificate, but you should get an officially signed certificate if you want to avoid browser warnings.
Move into the proper directory and generate a certificate:
cd /etc/nginx
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/cert.key -out /etc/nginx/cert.crt
You will be prompted to enter some information about the certificate. You can fill this out however you'd like; just be aware the information will be visible in the certificate properties. We've set the number of bits to 2048 since that's the minimum needed to get it signed by a CA. If you want to get the certificate signed, you will need to create a CSR.
2. Edit the Configuration
Edit /etc/nginx/nginx.conf, here is the example , it will forward request(https://9.110.214.172:9084/) to https:www.baidu.com
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 265;
#gzip on;
include /etc/nginx/conf.d/*.conf;
# This section tells the Nginx server to listen to any requests that come in on port 80 (default HTTP) and redirect them to HTTPS.
# server {
# listen 80;
# return 301 https://$host$request_uri;
# }
server {
keepalive_requests 240;
listen 443; # nginx server docker container port
server_name 9.110.214.172; # nginx server host ip
ssl_certificate /etc/nginx/cert.crt;
ssl_certificate_key /etc/nginx/cert.key;
ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
location /{
#proxy_ssl_verify off;
if ($request_method = OPTIONS ) {
add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'POST,GET,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'maxauth,x-method-override,patchtype,content-type,accept';
#proxy_pass http://9.212.148.172:9080;
proxy_pass https://www.baidu.com;
return 200;
}
if ($request_method != OPTIONS ){
# add_header 'Access-Control-Allow-Origin' '*';
add_header 'Access-Control-Allow-Credentials' 'true';
add_header 'Access-Control-Allow-Methods' 'POST,GET,DELETE,OPTIONS';
add_header 'Access-Control-Allow-Headers' 'maxauth,x-method-override,patchtype,content-type,accept';
#proxy_pass http://9.212.148.172:9080;
proxy_pass https://www.baidu.com;
}
}
}
}
3. Copy cert.key and cert.crt to nginx container folder /etc/nginx
4. Start docker container
docker run --name nginx_CAMP -d -p 9084:443 --restart unless-stopped nginx
5. Replacing nginx.conf with above file
6. Access http://9.110.214.172:9084/ to verify