具体步骤如下:
1、安装openssl
工具地址:http://slproweb.com/products/Win32OpenSSL.html
并配置环境变量。
2、生成证书
(1)以管理员身份运行cmd,进入到pfx文件的目录:
(2)根据pfx生成key文件
输入以下命令:
(将 xxxxxx.pfx 替换成自己的 pfx文件名称)
openssl pkcs12 -in xxxxxx.pfx -out server.key -nocerts根据提示输入三次密码后,则生成server.key 文件
(3)根据pfx生成crt证书文件
输入以下命令:
(将 xxxxxx.pfx 替换成自己的 pfx文件名称)
openssl pkcs12 -in xxxxxx.pfx -out server.crt根据提示输入三次密码后,则生成server.crt 文件
(4)生成pem文件
输入以下命令:
openssl x509 -in server.crt -outform PEM -out server.pem(5)将key密钥分离出去(避免windows每次启动nginx需要输入pem密码)
输入以下命令:
openssl rsa -in server.key -out server.key.unsecure最后在Nginx 配置中将crt和key文件指定路径即可
server {
listen 443 ssl;
server_name 域名;
ssl_certificate D:/nginx/cert/ssl/server.crt;
ssl_certificate_key D:/nginx/cert/ssl/server.key.unsecure;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
# 跨域问题
add header Access-Control-Allow-Origin *;
add header Access-Control-Allow-Methods GET, POST, OPTIONS';
add header Access-Control-Allow-Headers 'DNT,X-Mx-RegToken,Keep-Alive,User-Agent,x-Requested-with,If-modified-since,cache-control,Content-Type,Authorization';
#解决缓存问题
add header Cache-Control “no-cache,must-revalidate”;
add header X-Content-Type-0ptions nosniff;
add header 'Referrer-Policy' 'origin';
add_header X-Download-Options "noopen" always;
add header Strict-Transport-Security "max-age-63072000; includeSubdomains; preload";
add headerX-Permitted-Cross-Domain-Policies "master-only";
add headerX-Frame-OptionS SAMEORIGIN;
add headerX-XS5-Protection "1;mode=block":
location /demo{
alias D:/nginx/html/demo/dist;
try_files $uri $uri/ /demo/index.html;
add_header Access-Control-Allow-Methods *;
add_header Access-Control-Allow-Origin $http_origin;
}
location /demo-api/ {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/;
}
}
