ssl证书及http2.0

发布时间：2023-09-06 01:46责任编辑：苏小强关键词：http ssl证书

需求：
1.用于https证书上线测试，办公环境需要通过https测试网站，外部环境全部走http访问。
2.使用web端进行配置
架构：
nginx +多个tomcat

upstream test { ???????????????server 172.16.9.203:8080 weight=2; ???????????????server 172.16.9.204:8080 weight=2; ???????????????server 172.16.9.205:8080 weight=3; ???????}server { ???????listen ??????80; ???????server_name ?www.test.com; ??????location / { ???????????????proxy_pass http://test/; ???????????????proxy_read_timeout 300; ???????????????proxy_set_header Host $http_host; ???????????????proxy_set_header X-Real-IP $remote_addr; ???????if ($remote_addr !~ ^172\.16\.9\.226|172\.16\.9\.244) {# ??????rewrite ^(.*) https://$host$1 permanent; ???????return 302 https://www.test.com$request_uri;# ??????error_page 400 https://$host$uri?$args; ???????} ???????}}server { ???????listen ??????443; ???????server_name ?www.test.com; ???????ssl on; ???????ssl_certificate /etc/nginx/conf/key/server.pem; ???????ssl_certificate_key /etc/nginx/conf/key/server.key; ???????ssl_session_timeout ?5m; ???????ssl_protocols ?TLSv1 TLSv1.1 TLSv1.2; ???????ssl_ciphers ?HIGH:!RC4:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!EXP:+MEDIUM; ???????ssl_prefer_server_ciphers ??on; ???????location / { ???????????????proxy_pass http://test/; ???????????????proxy_read_timeout 300; ???????????????proxy_set_header Host $http_host; ???????????????proxy_set_header X-Real-IP $remote_addr; ??????} ?????# ?location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|ico|js|css)$ { ?????# ?????root /data/tomcat/webapps; ?????# ?????expires ?????1d; ?????# ?} ???access_log ?/var/log/nginx/www.test.com.access.log ?main; ???#error_page ?404 ?????????????/404.html; ???error_page ??500 502 503 504 ?/50x.html; ???location = /50x.html { ???????root ??/usr/local /nginx/html; ???} ???#location ~ /\.ht { ???????????????????????????# ???deny ?all; ???#}}

需要测试是否成功，一般来说一定会成功，这里我们做的是302临时跳转，如果做永久跳转可以看注释的部分。
如果前端有CDN
需要这样配置（日志配置main中需要根据CDN供应商返回给的HTTP_X_FORWARDED_FOR来进行配置）

由于，加证书会带来系统资源的消耗和宽带的消耗，同时传输性能有影响，所以一般加https后，都采用http2.0协议进行通信（http2.0，nginx需要编译--with-http_v2_module，这个性能方面需要测试，这仅是我的个人猜测。要想了解更多，请查阅http2.0协议）

ssl证书及http2.0

原文地址：http://blog.51cto.com/laodou/2089019

ssl证书及http2.0

知识推荐