1. 基础HTTPS转发配置
server {
listen 443 ssl;
server_name example.com;
# SSL证书配置
ssl_certificate /path/to/ssl_certificate.crt;
ssl_certificate_key /path/to/ssl_certificate.key;
# SSL优化参数
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 转发到后端服务
location / {
proxy_pass https://backend-server:port; # 也可以是http://
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
# 可选的超时设置
proxy_connect_timeout 60s;
proxy_read_timeout 60s;
proxy_send_timeout 60s;
}
}
2. HTTP自动跳转HTTPS
server {
listen 80;
server_name example.com;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
# SSL配置(同上)
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
# 转发配置
location / {
proxy_pass http://localhost:8080; # 转发到本地HTTP服务
# 其他proxy_set_header配置...
}
}
3. 负载均衡HTTPS转发
upstream backend_servers {
server backend1.example.com:443 weight=3;
server backend2.example.com:443;
server backend3.example.com:443 backup;
# 保持连接参数
keepalive 32;
}
server {
listen 443 ssl;
server_name example.com;
# SSL配置
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
location / {
proxy_pass https://backend_servers;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
# SSL证书验证(如果后端需要)
proxy_ssl_certificate /path/to/client-cert.crt;
proxy_ssl_certificate_key /path/to/client-cert.key;
proxy_ssl_verify on;
proxy_ssl_trusted_certificate /path/to/trusted-ca.crt;
}
}
4. SSL终止 + HTTP转发
server {
listen 443 ssl;
server_name example.com;
# SSL配置
ssl_certificate /path/to/cert.crt;
ssl_certificate_key /path/to/cert.key;
location / {
# SSL在Nginx终止,明文转发到后端
proxy_pass http://backend-server:8080;
proxy_set_header X-Forwarded-Proto https;
# 其他头部配置...
}
}
5. 多域名SSL配置
# 多个证书配置
server {
listen 443 ssl;
server_name domain1.com;
ssl_certificate /path/to/domain1.crt;
ssl_certificate_key /path/to/domain1.key;
location / {
proxy_pass http://backend1:8080;
}
}
server {
listen 443 ssl;
server_name domain2.com;
ssl_certificate /path/to/domain2.crt;
ssl_certificate_key /path/to/domain2.key;
location / {
proxy_pass http://backend2:8080;
}
}
6. 带客户端证书验证的双向SSL
server {
listen 443 ssl;
server_name secure-api.example.com;
# 服务器证书
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
# 客户端证书验证
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
# 验证失败时的处理
error_page 495 496 = @ssl_client_error;
location @ssl_client_error {
return 403 "Client SSL Certificate Required";
}
location / {
proxy_pass https://backend-server;
# 传递客户端证书信息
proxy_set_header X-SSL-Client-Cert $ssl_client_cert;
proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
}
}
7. Docker化配置示例
server {
listen 443 ssl;
server_name api.example.com;
ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;
# HSTS安全头
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
location /api/ {
proxy_pass http://app-container:3000;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
location /admin/ {
proxy_pass http://admin-container:4000;
# 同样设置代理头部...
}
}
重要配置说明:
SSL证书配置:
ssl_certificate: 证书文件路径(包含完整证书链)ssl_certificate_key: 私钥文件路径- 可以使用Let's Encrypt自动获取证书
代理头部传递:
proxy_set_header Host $host; # 传递原始域名
proxy_set_header X-Real-IP $remote_addr; # 客户端真实IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # 转发链
proxy_set_header X-Forwarded-Proto $scheme; # 协议(http/https)
证书生成命令示例:
# 自签名证书
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout /path/to/privkey.key \
-out /path/to/fullchain.crt
配置检查:
# 检查语法
nginx -t
# 重载配置
nginx -s reload
根据具体需求选择合适的配置方案,确保SSL配置符合安全最佳实践。
