本文基于个人实践所写,有误请指出。
1.购买域名
国内外各大云平台有售。
国内像是腾讯,阿里巴巴等,但缺点是国内的证书和域名都需要实名,弄起来比较麻烦。
国外的像是Cloudflare等等更是一大堆,无需实名,缺点是价格不便宜。
2.为域名申请SSL证书
3.修改配置文件
总之先贴个443端口的配置文件
- 以下是参考配置:
server { # 80端口转跳 listen 80; listen [::]:80; server_name www.xxx.com; return 301 https://$host$request_uri; } server { listen 443 ssl http2; listen [::]:443 ssl http2; # 你申请的域名 server_name www.xxx.com; #证书路径 ssl_certificate /fullchain/cert.pem; ssl_certificate_key /keyfile/key.pem; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; # 向前加密 需要生成加密文件 # ssl_dhparam /dh2048.pem; # HSTS add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-Content-Type-Options nosniff; ssl_protocols TLSv1.2 TLSv1.3; # 协议控制 有需要可加TLSv1.1 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # OCSP stapling(需要完整的证书链 若服务器中的ssl证书cert.pem属于完整的证书链 则无需加下面的trust路径) ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=60s;#google dns resolver_timeout 2; #ssl_trusted_certificate /fullchain/cert.pem; # 反代 location / { proxy_pass http://halo:23333; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } }
待续