个人网站为例 Common Name (e.g. server FQDN or YOUR name) []: ceshi-test.com 也可以通过*.yourdomain.com来匹配你的二级域名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN #国家名称 State or Province Name (full name) []:ShangHai #省 Locality Name (eg, city) [Default City]:ShangHai #市 Organization Name (eg, company) [Default Company Ltd]:ACBC #公司 Organizational Unit Name (eg, section) []:Tech #部门 Common Name (eg, your name or your server's hostname) []:*.mydomain.com #注意,此处应当填写你要部署的域名,如果是单个则直接添加即可,如果不确定,使用*,表示可以对所有mydomain.com的子域名做认证 Email Address []:admin@mydomain.com #以域名结尾即可 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: #是否设置密码,可以不写直接回车 An optional company name []: #其他公司名称 可不写
# For more information on configuration, see: # * Official English Documentation: http://nginx.org/en/docs/ # * Official Russian Documentation: http://nginx.org/ru/docs/
#user nginx; #worker_processes auto; error_log /var/log/nginx/error.log; pid /run/nginx.pid; # Load dynamic modules. See /usr/share/doc/nginx/README.dynamic. include /usr/share/nginx/modules/*.conf;
server { listen 80; listen www.xxx.com:80; #此处添加你要该链接访问的域名 server_name www.xxx.com alias xxx.com.alias; rewrite ^(.*) https://$server_name$1 permanent; #此句最关键 }
2.使用同一个端口,http转https
1 2 3 4 5 6 7 8 9
原理: http和https是tcp的上层协议,当nginx服务器建立tcp连接后,根据收到的第一 份数据来确定客户端是希望建立tls还是http。nginx会判断tcp请求的首写节内容 以进行区分,如果是0x80或者0x16就可能是ssl或者tls,然后尝试https握手。 如果端口开启了https,但请求过来的并不是,会抛出一个http级别的错误, 这个错误的状态码是NGX_HTTP_TO_HTTPS,错误代码497,然后在返回 response中会抛出一个400错误(因为497不是标准状态码,丢给浏览器也没 有用),这时浏览器会显示"400 Bad Request,The plain HTTP request was sent to HTTPS port"