if ( $http_host ~* "zh" ) {
set $domain "zh";
}
if ( $http_host ~* "jp" ) {
set $domain "jp";
}
root /url/$domain;
$http_accept_language浏览器设置的语言
rewrite ^/$ /m redirect;
last : 不执行此location
break : 不执行下面的location
redirect : 返回302临时重定向(默认)
permanent : 返回301永久重定向,无证书后会报错
rewrite ^(.*)$ https://$http_host$request_uri
curl -I查看响应头
$remote_addr ip地址
http转https
server {
listen 443 ssl;
server_name s.oldxu.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
root /code;
location / {
index index.html;
}
}
server {
listen 80;
server_name s.oldxu.com;
return 302 https://$http_host$request_uri;
}
通过uri跳转其他https域名
web01
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.oldxu.com;
root /code;
location / {
index index.html;
}
}
web02
server {
listen 80;
server_name www.oldxu.com;
root /code;
location / {
index index.html;
}
location /login {
return 302 https://s.oldxu.com;
}
}
通过uri从https跳转到http
server {
listen 443 ssl;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
server_name s.oldxu.com;
root /code;
location / {
index index.html;
}
}
server {
listen 80;
server_name s.oldxu.com;
if ( $request_uri != '/abc') {
return 302 https://$http_host$request_uri;
}
}
ssl_session_cache shared:SSL:10m; #在建立完ssl握手后如果断开连接,在session_timeout时间内再次连接,是不需要在次建立握手,可以复用之前的连接
ssl_session_timeout 1440m; #ssl连接断开后的超时时间(24小时)
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用的TLS版本协议
ssl_prefer_server_ciphers on; #Nginx决定使用哪些协议与浏览器进行通讯
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #配置加密套间
生成假证书
openssl req -nodes -newkey rsa:2048 -keyout server.key -out server.csr -subj “/C=/ST=/L=/O=/OU=/CN=wuxing”
openssl x509 -req -sha256 -days 36500 -in server.csr -signkey server.key -out server.crt
接入负载均衡
upstream ssl {
server 172.16.1.7:80;
server 172.16.1.8:80;
}
server {
listen 443 ssl;
server_name ssl.oldxu.com;
ssl_certificate ssl_key/server.crt;
ssl_certificate_key ssl_key/server.key;
location / {
proxy_pass http://ssl;
include proxy_params;
}
}
server {
listen 80;
server_name ssl.oldxu.com;
return 302 https://$http_host$request_uri;或者$server_name
}
server {
listen 80;
server_name ssl.oldxu.com;
root /code;
location / {
index index.html;
}
}