[转]Nginx 配置多域名 http转https

之前实现了用Let ’ s Encrypt 生成SSL证书，现在将全部的域名强制实现https访问

一.备份之前配置文件，创建新的配置文件

1.进入nginx conf目录，并创建备份文件夹

1 2 3

cd /user/local/nginx/conf mkdir vhost.conf.bak

2.将旧的配置文件移动到备份文件夹

1	mv vhost/* conf.vhost.bak/

3.创建新的配置文件

创建主配置文件负责监听80端口并转发请求

1	vim index.host.conf

内容如下：

1 2 3 4 5

server { listen 80; server_name abc.cn www.abc.cn jenkins.abc.cn mymaven.abc.cn dubboadmin.abc.cn; rewrite ^(.*) https://$host permanent; }

创建各域名配置文件监听443端口（可以按域名分开，也可以写一个文件里，我为了方便写在一个文件里）

1	vim https.host.conf

内容如下：

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90

server { listen 443; server_name www.mrpei.cn mrpei.cn; ssl on; ssl_certificate /etc/letsencrypt/live/mrpei.cn-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn-0002/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://112.74.102.226:8080/; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443; server_name jenkins.mrpei.cn; ssl on; ssl_certificate /etc/letsencrypt/live/mrpei.cn-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn-0002/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://112.74.102.226:8300; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443; server_name mymaven.mrpei.cn; ssl on; ssl_certificate /etc/letsencrypt/live/mrpei.cn-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn-0002/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://112.74.102.226:8081; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } } server { listen 443; server_name dubboadmin.mrpei.cn; ssl on; ssl_certificate /etc/letsencrypt/live/mrpei.cn-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn-0002/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }

二.测试并启用新的配置文件

返回nginx根目录，执行配置文件测试

1 2	cd ../ sbin/nginx -t

显示如下输出表示测试通过

1 2	nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

以新的配置文件重启Nginx

1	sbin/nginx -s reload

三.再次访问之前的地址 看到浏览器自动转到https

四.出现的问题

1.有的域名浏览器地址栏https报红，提示连接不安全

这是因为有的域名并没有加入之前的申请证书

再次执行申请证书命令并-d追加所有需要的域名

1 2	cd /usr/server/sslKey/letsencrypt/ ./letsencrypt-auto certonly --standalone --email 756487195@qq.com -d abc.cn -d jenkins.abc.cn -d mymaven.abc.cn -d dubboadmin.abc.cn

特别注意：如果没有删除以前的公钥私钥证书 生成结果会生成新的两个文件 注意修改 Nginx 配置文件对应的文件名

如下图：

修改位置：

1 2	ssl_certificate /etc/letsencrypt/live/mrpei.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn/privkey.pem;

修改为：

1 2	ssl_certificate /etc/letsencrypt/live/mrpei.cn-0002/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/mrpei.cn-0002/privkey.pem;

…