首先需要获取SSL证书,可以选择: - 从Let's Encrypt获取免费证书 - 从商业CA购买证书 - 使用自签名证书(仅测试环境)
将获取的证书文件(通常包括.crt和.key文件)上传到服务器,例如:
/etc/ssl/certs/your_domain.crt
/etc/ssl/private/your_domain.key
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/ssl/certs/your_domain.crt;
ssl_certificate_key /etc/ssl/private/your_domain.key;
# 推荐的安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
# 其他配置...
root /var/www/yourdomain.com;
index index.html index.htm;
}
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
# 重定向旧URL到新URL
location /old-page {
return 301 https://$host/new-page;
}
server {
listen 443 ssl;
server_name www.yourdomain.com;
return 301 https://yourdomain.com$request_uri;
}
server {
listen 443 ssl;
server_name yourdomain.com;
return 301 https://www.yourdomain.com$request_uri;
}
location / {
try_files $uri $uri/ /index.php?$query_string;
}
rewrite ^([^.]*[^/])$ $1/ permanent;
rewrite ^/(.*)/$ /$1 permanent;
# 只有当请求来自特定IP时才重写
if ($remote_addr = 192.168.1.100) {
rewrite ^/special-page$ /special-content break;
}
# 移动设备重定向到移动版
if ($http_user_agent ~* "(android|iphone|ipod)") {
rewrite ^/$ /mobile break;
}
# 将?page=123重写为/page/123
if ($args ~* "^page=([0-9]+)") {
set $page $1;
rewrite ^/$ /page/$page? permanent;
}
listen 443 ssl http2;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.pem;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
nginx -t
nginx -s reload
rewrite_log on;
error_log /var/log/nginx/rewrite.log notice;
通过以上配置,您可以实现安全的HTTPS网站部署,并灵活地控制URL重写规则,满足各种业务需求。