1. 获取证书(阿里云)
- 进入阿里云控制台
- 点击SSL证书安装
- 点击左侧菜单栏,SSL
- 点击免费证书申请(个人版有20个免费)
- 申请之后,点击创建,
- 然后再次申请
- 根据提示填写,域名最好填写,你买的一级域名
- 下载nginx版本的证书
- 解压上传到服务器上
2. https的方案
- 监听配置域名的80端口,当请求来80时,进行转发/重定向去https路由,进行匹配
- rewrite 进行内部重定向的语法,
- redirect #临时重定向,重写完成后以临时重定向方式直接返回重写后生成的新URL给客户端,有客户端重新发起请求,使用相对路径,http://或https://开头,状态码:302
- permanent #永久重定向,以永久重定向的方式直接返回重写后生成的新URL给客户端,由客户端重新发起新的请求,状态码:301
- last #重写完成后停止对当前location中后续的其他重写操作,而后对新的URL启动新一轮重写检查,不建议在location中使用
- break #重写完成后停止对当前URL在当前location中后续的其他重写操作,而后直接跳转至重写规则匹配块之后的其他配置;结束循环,建议在location中使用
$1介绍:
$---> shell的语法
# 例子
name = 'dbj'
在shell里面,如果想取出name的值,就得用$name,也就是说 $name<--->'dbj'
# $1
$1--->指代正则表达式分组括号里面的内容
举个例子 www.0528.ltd/dbj.html $1就是dbj.html
也可以这样理解,$1指代ip后面的路由
方式1:使用rewrite指令测试
server {
listen 80;
server_name 10.0.0.100;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name 10.0.0.100;
ssl_certificate /opt/tngx230/cert/7.pem;
ssl_certificate_key /opt/tngx230/cert/7.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
方式2:使用return指令
server {
listen 80;
server_name 10.0.0.100;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name 10.0.0.100;
ssl_certificate /opt/tngx230/cert/7.pem;
ssl_certificate_key /opt/tngx230/cert/7.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
方式3:项目部署使用(前后端不分离使用的配置)
server {
listen 80;
server_name 10.0.0.100;
rewrite ^(.*) https://$server_name$1 permanent;
}
# 负载均衡的配置
upstream u_text {
server 10.0.0.1:8081;
#server 106.14.42.253:8082;
}
server {
listen 443 ssl;
server_name 10.0.0.100;
ssl_certificate /opt/tngx230/cert/7.pem;
ssl_certificate_key /opt/tngx230/cert/7.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
uwsgi_pass u_text;
#uwsgi以http起动
#proxy_pass http://公网地址:项目端口号;
include /etc/nginx/uwsgi_params;
}
location /static {
#alias 重命名
alias /opt/static;
}
}
方式4 多域名(未测试)
server {
listen 80; #侦听80端口
listen 443 ssl; #侦听443端口,用于SSL
server_name blog.tandk; # 自己的域名
# 注意证书文件位置,是从/etc/nginx/下开始算起的
ssl_certificate 1_blog.tandk_bundle.crt;
ssl_certificate_key 2_blog.tandk.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 这里写的是我的腾讯云内网地址,不知道为啥,不能用127.0.0.1...
proxy_pass http://xx.xx.xx.xx:8080;
}
}
server {
listen 80; #侦听80端口
listen 443 ssl; #侦听443端口,用于SSL
server_name mail.tandk; # 自己的域名
# 注意证书文件位置,是从/etc/nginx/下开始算起的
ssl_certificate 1_mail.tandk_bundle.crt;
ssl_certificate_key 2_mail.tandk.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
client_max_body_size 1024m;
location / {
proxy_set_header HOST $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 这里写的是我的腾讯云内网地址,不知道为啥,不能用127.0.0.1...
proxy_pass http://xx.xx.xx.xx:8181;
}
}
ps. 附送一套基于docker部署前后端不分离项目(https)
步骤
# 下载到opt
git clone https://gitee/yqmc/u_text.git
# 进入项目
cd u_text/
# 按照自己的配置修改uwsgi(一定要与manage.py同级)
vim uwsgi.ini
# 按照自己的配置修改Dockerfile(一定要与manage.py同级)
vim Dockerfile
# 静态文件的收集
vim u_text/settings.py
# 解开注释(django静态文件存放的路径)
STATIC_ROOT='/opt/static'
# 收集
python3 manage.py collectstatic
# 构建镜像
docker build -t='u_t' .
# 创建目录挂载文件(自己把证书放进cert,做挂载使用)
mkdir -p /opt/nginx/conf /opt/nginx/logs /opt/nginx/cert
touch /opt/nginx/conf/nginx.conf
touch /opt/nginx/conf/default.conf
touch /opt/nginx/logs/error.log
touch /opt/nginx/logs/access.log
# 打开nginx.conf
vim /opt/nginx/conf/nginx.conf
# default配置
vim /opt/nginx/conf/default.conf
# 起容器
docker run -di --name=t1 -v /opt/u_text/:/opt/u_text -p 8081:8080 u_t
# 起nginx
docker run --name=nginx -id -p 80:80 -p 443:443 -v /opt/nginx/conf/nginx.conf:/etc/nginx/nginx.conf -v /opt/nginx/conf/default.conf:/etc/nginx/conf.d/default.conf -v /opt/nginx/logs/error.log:/var/log/nginx/error.log -v /opt/nginx/logs/access.log:/var/log/nginx/access.log -v /opt/static:/opt/static -v /opt/nginx/cert:/opt/nginx/cert nginx
uwsgi.ini
[uwsgi]
socket=0.0.0.0:8080
chdir = /opt/u_text
wsgi-file = u_text/wsgi.py
processes = 4
threads = 2
master = True
Dockerfile
# 基于基础镜像,默认会去宿主机里找,没有会去hub上拉取。在没有,报错
FROM python:3.6
# 制作者
MAINTAINER ymq
# 暴露端口(可以不写) -p 映射,但最好留着
EXPOSE 8080
# 宿主机文件requirement.txt copy到容器内home路径下
ADD ./requirement.txt /home/
# 构建镜像执行执行命令
RUN pip install -r /home/requirement.txt -i https://pypi.douban/simple/
RUN pip install uwsgi -i https://pypi.douban/simple/
# 用来保存数据,防止容器挂掉,数据丢失 可以不写 -v 映射,但最好留着
VOLUME ["/home"]
# 工作路径,WORKDIR --> cd
WORKDIR /opt/u_text
# 执行的命令,当容器启动的时候,会自动执行使django以uwsgi启动
CMD ["uwsgi", "--ini", "uwsgi.ini"]
nginx配置
- docker安装的nginx,配置文件进行了解耦合
- 日志配置在nginx.conf
- server配置在default.conf
- server_name 可以放置域名或者IP
nginx.conf
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
default.conf
server {
listen 80;
server_name 10.0.0.100;
rewrite ^(.*) https://$server_name$1 permanent;
}
# 负载均衡的配置
upstream u_text {
server 10.0.0.1:8081;
#server 106.14.42.253:8082;
}
server {
listen 443 ssl;
server_name 10.0.0.100;
ssl_certificate /opt/nginx/cert/7.pem;
ssl_certificate_key /opt/nginx/cert/7.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
uwsgi_pass u_text;
#uwsgi以http起动
#proxy_pass http://公网地址:项目端口号;
include /etc/nginx/uwsgi_params;
}
location /static {
#alias 重命名
alias /opt/static;
}
}
更多推荐
docker部署https
发布评论