nginx 使用“通配符证书”配置多个 https 的域名
<p>一般配置 https 需要一个证书对应一个域名,一个证书只能用于一个域名;但是有一种叫做“通配符证书”(英文叫:Wildcard certificate)的证书,可以一个证书,配置 n 个二级域名,例如:</p><div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">一般的:
www.baidu.com
通配符证书:
</span>*.baidu.com</pre>
</div>
<p>然后 nginx 中,nginx.conf 文件:(用 docker 安装的,和原始方式略有不同,但问题不大,主要是 server 部分的配置,使用 include 引入 server 部分)</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">usernginx;
worker_processesauto;
error_log</span>/<span style="color: rgba(0, 0, 255, 1)">var</span>/log/nginx/<span style="color: rgba(0, 0, 0, 1)">error.log notice;
pid </span>/<span style="color: rgba(0, 0, 255, 1)">var</span>/run/<span style="color: rgba(0, 0, 0, 1)">nginx.pid;
events {
worker_connections</span><span style="color: rgba(128, 0, 128, 1)">1024</span><span style="color: rgba(0, 0, 0, 1)">;
}
http {
include </span>/etc/nginx/<span style="color: rgba(0, 0, 0, 1)">mime.types;
default_typeapplication</span>/octet-<span style="color: rgba(0, 0, 0, 1)">stream;
log_formatmain</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">$remote_addr - $remote_user [$time_local] "$request" </span><span style="color: rgba(128, 0, 0, 1)">'</span>
<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">$status $body_bytes_sent "$http_referer" </span><span style="color: rgba(128, 0, 0, 1)">'</span>
<span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(128, 0, 0, 1)">"$http_user_agent" "$http_x_forwarded_for"</span><span style="color: rgba(128, 0, 0, 1)">'</span><span style="color: rgba(0, 0, 0, 1)">;
access_log</span>/<span style="color: rgba(0, 0, 255, 1)">var</span>/log/nginx/<span style="color: rgba(0, 0, 0, 1)">access.logmain;
sendfile on;
#tcp_nopush on;
keepalive_timeout</span><span style="color: rgba(128, 0, 128, 1)">65</span><span style="color: rgba(0, 0, 0, 1)">;
#gzipon;
include </span>/etc/nginx/conf.d<span style="color: rgba(0, 128, 0, 1)">/*</span><span style="color: rgba(0, 128, 0, 1)">.conf;
}</span></pre>
</div>
<p>再看 server 部分配置:</p>
<p>假如有一个域名: xxxx.hk ,现在其下有两个二级域名:</p>
<p> web.xxxx.hk 想指向:http://xx.xx.xx.xx:8080</p>
<p> app.xxxx.hk 想指向:http://xx.xx.xx.xx:8081</p>
<p>然后现在有一份通配符证书:</p>
<p> xxxx.crt</p>
<p> xxxx.key</p>
<p>就可以新建两个 443 端口的 server ,同时配置这个证书(两个 80 端口的 server 是为了强转 http 的请求到 https 上)</p>
<div class="cnblogs_code">
<pre><span style="color: rgba(0, 0, 0, 1)">server {
listen </span><span style="color: rgba(128, 0, 128, 1)">80</span><span style="color: rgba(0, 0, 0, 1)">;
listen[::]:</span><span style="color: rgba(128, 0, 128, 1)">80</span><span style="color: rgba(0, 0, 0, 1)">;
server_nameweb.xxxx.hk;
rewrite </span>^(.*) https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">$server_name$1 permanent;</span>
<span style="color: rgba(0, 0, 0, 1)">
#access_log</span>/<span style="color: rgba(0, 0, 255, 1)">var</span>/log/nginx/<span style="color: rgba(0, 0, 0, 1)">host.access.logmain;
location </span>/<span style="color: rgba(0, 0, 0, 1)"> {
proxy_pass http:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">xx.xx.xx.xx:8080;</span>
root /usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
indexindex.html index.htm;
}
#error_page</span><span style="color: rgba(128, 0, 128, 1)">404</span> /<span style="color: rgba(128, 0, 128, 1)">404</span><span style="color: rgba(0, 0, 0, 1)">.html;
# redirect server error pages to the </span><span style="color: rgba(0, 0, 255, 1)">static</span> page /<span style="color: rgba(0, 0, 0, 1)">50x.html
#
error_page </span><span style="color: rgba(128, 0, 128, 1)">500</span> <span style="color: rgba(128, 0, 128, 1)">502</span> <span style="color: rgba(128, 0, 128, 1)">503</span> <span style="color: rgba(128, 0, 128, 1)">504</span>/<span style="color: rgba(0, 0, 0, 1)">50x.html;
location </span>= /<span style="color: rgba(0, 0, 0, 1)">50x.html {
root </span>/usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
}
}
server {
listen </span><span style="color: rgba(128, 0, 128, 1)">80</span><span style="color: rgba(0, 0, 0, 1)">;
listen[::]:</span><span style="color: rgba(128, 0, 128, 1)">80</span><span style="color: rgba(0, 0, 0, 1)">;
server_nameapp.xxxx.hk;
rewrite </span>^(.*) https:<span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">$server_name$1 permanent;</span>
<span style="color: rgba(0, 0, 0, 1)">
#access_log</span>/<span style="color: rgba(0, 0, 255, 1)">var</span>/log/nginx/<span style="color: rgba(0, 0, 0, 1)">host.access.logmain;
location </span>/<span style="color: rgba(0, 0, 0, 1)"> {
proxy_pass http:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">xx.xx.xx.xx:8081;</span>
root /usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
indexindex.html index.htm;
}
#error_page</span><span style="color: rgba(128, 0, 128, 1)">404</span> /<span style="color: rgba(128, 0, 128, 1)">404</span><span style="color: rgba(0, 0, 0, 1)">.html;
# redirect server error pages to the </span><span style="color: rgba(0, 0, 255, 1)">static</span> page /<span style="color: rgba(0, 0, 0, 1)">50x.html
#
error_page </span><span style="color: rgba(128, 0, 128, 1)">500</span> <span style="color: rgba(128, 0, 128, 1)">502</span> <span style="color: rgba(128, 0, 128, 1)">503</span> <span style="color: rgba(128, 0, 128, 1)">504</span>/<span style="color: rgba(0, 0, 0, 1)">50x.html;
location </span>= /<span style="color: rgba(0, 0, 0, 1)">50x.html {
root </span>/usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
}
}
server {
listen </span><span style="color: rgba(128, 0, 128, 1)">443</span><span style="color: rgba(0, 0, 0, 1)"> ssl;
server_name web.xxxx.hk;
ssl_certificate </span>/ssl/<span style="color: rgba(0, 0, 0, 1)">xxxx.crt;
ssl_certificate_key</span>/ssl/<span style="color: rgba(0, 0, 0, 1)">xxxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout5m;
ssl_ciphersHIGH:</span>!aNULL:!<span style="color: rgba(0, 0, 0, 1)">MD5;
ssl_prefer_server_cipherson;
location </span>/<span style="color: rgba(0, 0, 0, 1)"> {
proxy_pass http:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">xx.xx.xx.xx:8080;</span>
root /usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
indexindex.html index.htm;
}
}
server {
listen </span><span style="color: rgba(128, 0, 128, 1)">443</span><span style="color: rgba(0, 0, 0, 1)"> ssl;
server_name app.xxxx.hk;
ssl_certificate </span>/ssl/<span style="color: rgba(0, 0, 0, 1)">xxxx.crt;
ssl_certificate_key</span>/ssl/<span style="color: rgba(0, 0, 0, 1)">xxxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout5m;
ssl_ciphersHIGH:</span>!aNULL:!<span style="color: rgba(0, 0, 0, 1)">MD5;
ssl_prefer_server_cipherson;
location </span>/<span style="color: rgba(0, 0, 0, 1)"> {
proxy_pass http:</span><span style="color: rgba(0, 128, 0, 1)">//</span><span style="color: rgba(0, 128, 0, 1)">xx.xx.xx.xx:8081;</span>
root /usr/share/nginx/<span style="color: rgba(0, 0, 0, 1)">html;
indexindex.html index.htm;
}
}</span></pre>
</div>
<p> </p><br><br>
来源:https://www.cnblogs.com/xuehuashanghe/p/16673636.html
頁:
[1]