当我用ssl设置一个网站时,我几乎总是有这样的样板nginxconfiguration(注释说明):
# Redirect both (http/https) non www. to www. server { listen 80; listen 443 ssl; ssl_certificate /etc/ssl/certs/www.example.com.pem; ssl_certificate_key /etc/ssl/private/www.example.com.key; server_name example.com; return 301 $scheme://www.example.com$request_uri; } # Redirect www. http traffic to www. https server { listen 80; server_name www.example.com; return 301 https://$host$request_uri; } # Serve www. website over https server { listen 443 ssl; ssl_certificate /etc/ssl/certs/www.example.com.pem; ssl_certificate_key /etc/ssl/private/www.example.com.key; server_name www.example.com; root /home/example/apps/site; server_tokens off; index index.php index.html index.htm; location / { try_files $uri $uri/ =404; } # ... } 有人build议使这个更简单,并删除一些重复?
如果您有*.example.com的通配符证书,则可以使用以下格式编写它:
server { listen 80 default_server; listen 443 ssl default_server; ssl_certificate /etc/ssl/certs/www.example.com.pem; ssl_certificate_key /etc/ssl/private/www.example.com.key; return 301 https://www.example.com$request_uri; } server { listen 443; server_name www.example.com; root /home/example/apps/site; index index.php index.html index.htm; server_tokens off; location / { try_files $uri $uri/ =404; } [ ... ] }
SSL握手将始终发生在第一个块中,从而提供通配域证书。
server_name ,因为它是SSL,握手后完成,并允许这种forms的configuration,其中正确的服务器块不一定是握手发生的那个。
default_server指令将强制将未知/空/不存在的主机头部redirect到HTTPS域。