Nginx配置SSL支持

贴下配置,方便下次查阅。

server
    {
        listen       443;
        server_name domain.com;
        index index.html index.htm index.php default.html default.htm default.php;
        root  /path/to/webroot;
        ssl on;
        ssl_certificate /path/to/site.crt;
        ssl_certificate_key /path/to/site.key;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; //设定支持的协议,禁用SSLv3
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; //禁用RC4等
        ssl_prefer_server_ciphers on;



<h3>如果需要自动跳转http到https,可以在上面的server配置块上面再加一个server块,内容如下</h3>

server
    {
        listen       80;
        server_name domain.com;
        return 301 https://$server_name$request_uri;
    }

<h3>如果需要http和https(ssl)共存,可以参考下面的配置</h3>

server {
           listen 80 default backlog=2048;
           listen 443 ssl;
           server_name domain.com;
           root /var/www/html;

           ssl_certificate /usr/local/Tengine/sslcrt/domain.com.crt;
           ssl_certificate_key /usr/local/Tengine/sslcrt/domain.com.key;
       }

# 把ssl on;这行去掉,ssl写在443端口后面,这样http和https的链接都可以用

标签: nginx, ssl

添加新评论