nginx 使用“通配符证书”配置多个域名
原创
©著作权归作者所有:来自51CTO博客作者莫唯轩_彦的原创作品,请联系作者获取转载授权,否则将追究法律责任
一般配置 https 需要一个证书对应一个域名,一个证书只能用于一个域名;但是有一种叫做“通配符证书”(英文叫:Wildcard certificate)的证书,可以一个证书,配置 n 个二级域名,例如:
一般的:
www.baidu.com
通配符证书:
*.baidu.com
然后 nginx 中,nginx.conf 文件:(用 docker 安装的,和原始方式略有不同,但问题不大,主要是 server 部分的配置,使用 include 引入 server 部分)
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
再看 server 部分配置:
假如有一个域名: xxxx.hk ,现在其下有两个二级域名:
web.xxxx.hk 想指向:http://xx.xx.xx.xx:8080
app.xxxx.hk 想指向:http://xx.xx.xx.xx:8081
然后现在有一份通配符证书:
xxxx.crt
xxxx.key
就可以新建两个 443 端口的 server ,同时配置这个证书(两个 80 端口的 server 是为了强转 http 的请求到 https 上)
server {
listen 80;
listen [::]:80;
server_name web.xxxx.hk;
rewrite ^(.*) https://$server_name$1 permanent;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://xx.xx.xx.xx:8080;
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 80;
listen [::]:80;
server_name app.xxxx.hk;
rewrite ^(.*) https://$server_name$1 permanent;
#access_log /var/log/nginx/host.access.log main;
location / {
proxy_pass http://xx.xx.xx.xx:8081;
root /usr/share/nginx/html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
server {
listen 443 ssl;
server_name web.xxxx.hk;
ssl_certificate /ssl/xxxx.crt;
ssl_certificate_key /ssl/xxxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://xx.xx.xx.xx:8080;
root /usr/share/nginx/html;
index index.html index.htm;
}
}
server {
listen 443 ssl;
server_name app.xxxx.hk;
ssl_certificate /ssl/xxxx.crt;
ssl_certificate_key /ssl/xxxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://xx.xx.xx.xx:8081;
root /usr/share/nginx/html;
index index.html index.htm;
}
}
