Nginx实战：编译安装，在线升级，实现多域名 http和 https，自动跳转

内容概要：编译安装Nginx 1.18.0；在线升级到 1.20.2；在1.20.2版本上实现同一个IP地址下，多域名http和https，http自动跳转https。

4.1 Nginx 编译安装

4.1.1 编译安装简介

源码安装需要提前准备标准的编译器，GCC的全称是（GNU Compiler collection），其有GNU开发，并以GPL即LGPL
许可，是自由的类UNIX即苹果电脑Mac OS X操作系统的标准编译器，因为GCC原本只能处理C语言，所以原名为GNU C
语言编译器，后来得到快速发展，可以处理C++,Fortran，pascal，objective-C，java以及Ada等其他语言，此
外还需要Automake工具，以完成自动创建Makefile的工作，Nginx的一些模块需要依赖第三方库，比如: pcre（支
持rewrite），zlib（支持gzip模块）和openssl（支持ssl模块）等。

4.1.2 源码编译安装Nginx 1.18.0

4.1.2.1 编译和安装Nginx 1.18.0

# 优化和准备CentOS8环境：关闭防火墙、关闭SELINUX、同步时间、修改主机名等等
[root@CentOS84-IP08 ]#hostnamectl set-hostname CentOS84-Nginx-IP08
[root@CentOS84-IP08 ]#exit
[root@CentOS84-IP08 ]#systemctl enable --now chronyd.service

# 安装编译依赖包
[root@CentOS84-Nginx-IP08 ]#yum -y install gcc pcre-devel openssl-devel zlib-devel
# 建nginx账户
[root@CentOS84-Nginx-IP08 ]#useradd -s /sbin/nologin nginx

#下载 nginx-1.18.0.tar.gz 源码包，解压
[root@CentOS84-Nginx-IP08 ]#cd /usr/local/src/
[root@CentOS84-Nginx-IP08 ]#wget http://nginx.org/download/nginx-1.18.0.tar.gz
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#tar xf nginx-1.18.0.tar.gz
[root@CentOS84-Nginx-IP08 ]#ll
total 1016
drwxr-xr-x 8 nginx nginx 158 Apr 21 2020 nginx-1.18.0
-rw-r--r-- 1 root root 1039530 Apr 21 2020 nginx-1.18.0.tar.gz
[root@CentOS84-Nginx-IP08 ]#cd nginx-1.18.0/
[root@CentOS84-Nginx-IP08 ]#pwd
/usr/local/src/nginx-1.18.0

# 准备编译安装配置文件
[root@CentOS84-Nginx-IP08 ]#./configure --prefix=/apps/nginx \
> --user=nginx \
> --group=nginx \
> --with-http_ssl_module \
> --with-http_v2_module \
> --with-http_realip_module \
> --with-http_stub_status_module \
> --with-http_gzip_static_module \
> --with-pcre \
> --with-stream \
> --with-stream_ssl_module \
> --with-http_addition_module \
> --with-http_auth_request_module \
> --with-http_dav_module \
> --with-http_flv_module \
> --with-http_gunzip_module \
> --with-http_gzip_static_module \
> --with-http_mp4_module \
> --with-http_random_index_module \
> --with-http_realip_module \
> --with-http_secure_link_module \
> --with-http_slice_module \
> --with-http_ssl_module \
> --with-http_stub_status_module \
> --with-http_sub_module \
> --with-http_v2_module \
> --with-mail \
> --with-mail_ssl_module

# 查看cpu个数，依据个数用于后面编译
[root@CentOS84-Nginx-IP08 ]#lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 4
...........
# 开始编译安装
[root@CentOS84-Nginx-IP08 ]#make -j 4 && make install

# 准备专门的Nginx 的安装目录/apps/nginx 并授权
[root@CentOS84-Nginx-IP08 ]#chown -R nginx.nginx /apps/nginx

4.1.2.2 Nginx四个主要的目录

## nginx完成安装以后，有四个主要的目录和下面的文件作用介绍
[root@CentOS84-Nginx-IP08 ]#ll /apps/nginx/
total 0
drwxr-xr-x 2 nginx nginx 333 Mar 25 01:52 conf
drwxr-xr-x 2 nginx nginx 40 Mar 25 01:52 html
drwxr-xr-x 2 nginx nginx 6 Mar 25 01:52 logs
drwxr-xr-x 2 nginx nginx 19 Mar 25 01:52 sbin
root@CentOS84-Nginx-IP08 ]#

conf：保存nginx所有的配置文件，其中nginx.conf是nginx服务器的最核心的主配置文件，其他的.conf则是用来配置nginx相关的功能的，例如fastcgi功能使用的是fastcgi.conf和fastcgi_params两个文件，配置文件一般都有个样板配置文件，是文件名.default结尾，使用过程中可以参考。
html目录默认是保存nginx服务器的web文件，但是一般生产中都会更改为其他目录保存web文件,另外还有一个50x的web文件是默认的错误页面提示页面。
logs：用来保存nginx服务器的访问日志、错误日志等日志，logs目录也可以自定义放在其他路径，比如/var/logs/nginx里面。
sbin：保存nginx二进制启动脚本，可以赋不同的参数以实现不同的功能。

4.1.2.3 验证版本及编译参数

# 创建软链接
[root@CentOS84-Nginx-IP08 ]#ls /apps/nginx/sbin/
nginx
[root@CentOS84-Nginx-IP08 ]#ln -s /apps/nginx/sbin/nginx /usr/sbin/
# 查看版本信息 用nginx -V 命令可以看到编译时候的参数，这个在做平滑升级时候需要用到
[root@CentOS84-Nginx-IP08 ]#nginx -v
nginx version: nginx/1.18.0
[root@CentOS84-Nginx-IP08 ]#nginx -V
nginx version: nginx/1.18.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module

4.1.2.4 启动Nginx，并测试访问

# 启动和停止 nginx 测试访问 web 界面
[root@CentOS84-Nginx-IP08 ]#nginx
[root@CentOS84-Nginx-IP08 ]#ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
# 需要特别说明，因为我们直接是用二进制文件程序启动运行nginx的，所以关闭时候需要用下面的命令关闭。
[root@CentOS84-Nginx-IP08 ]#nginx -s stop

​访问测试：上面步骤启动好Nginx 后在浏览器内输入 http://192.168.0.8 可以看到下面的页面，说明安装已经成功了​

4.1.2.5 创建自启动文件及启动Nginx

#### 因为前面在另外一台 Nginx-IP48 服务器上yum 安装过相同版本的Nginx，将配置文件直接借鉴复制到编译安装的这台服务器上，修改后可以直接使用。

# 查看服务器上的启动文件，编译安装后并不存在
[root@CentOS84-Nginx-IP08 ]#ll /usr/lib/systemd/system/nginx.service
ls: cannot access '/usr/lib/systemd/system/nginx.service': No such file or directory
[root@CentOS84-Nginx-IP08 ]#


####################################################################################
# 切换到Nginx-IP48 服务器上，查看yum方式安装的 启动文件，也可以直接复制并在 CentOS84-Nginx-IP08 上用vim 生成这个文件
[root@Nginx-IP48 ]#ll /usr/lib/systemd/system/nginx.service
-rw-r--r-- 1 root root 469 Jan 25 23:25 /usr/lib/systemd/system/nginx.service
[root@Nginx-IP48 ]#cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStart=/usr/sbin/nginx -c /etc/nginx/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /var/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /var/run/nginx.pid)"

[Install]
WantedBy=multi-user.target
[root@Nginx-IP48 ]#

# 将 启动文件nginx.service复制到 CentOS84-Nginx-IP08
[root@Nginx-IP48 ]#scp /usr/lib/systemd/system/nginx.service 192.168.250.8:/usr/lib/systemd/system/nginx.service
The authenticity of host '192.168.250.8 (192.168.250.8)' can't be established.
ECDSA key fingerprint is SHA256:WGibMK0eLfGqzsaTJEHUwYyD+RwjH6hlC0ZBURwn7ns.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.250.8' (ECDSA) to the list of known hosts.
root@192.168.250.8's password:
nginx.service 100% 469 356.3KB/s 00:00
[root@Nginx-IP48 ]#
####################################################################################

# 切换回CentOS84-Nginx-IP08 停掉前面 nginx 直接启动的 nginx 服务
[root@CentOS84-Nginx-IP08 ]#nginx -s stop
[root@CentOS84-Nginx-IP08 ]#ss -ntl

# 按照编译安装的参数，修改好自启动服务文件
[root@CentOS84-Nginx-IP08 ]#vim /usr/lib/systemd/system/nginx.service
[root@CentOS84-Nginx-IP08 ]#cat /usr/lib/systemd/system/nginx.service
[Unit]
Description=nginx - high performance web server
Documentation=http://nginx.org/en/docs/
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
Type=forking
PIDFile=/apps/nginx/run/nginx.pid
ExecStart=/apps/nginx/sbin/nginx -c /apps/nginx/conf/nginx.conf
ExecReload=/bin/sh -c "/bin/kill -s HUP $(/bin/cat /apps/nginx/run/nginx.pid)"
ExecStop=/bin/sh -c "/bin/kill -s TERM $(/bin/cat /apps/nginx/run/nginx.pid)"

[Install]
WantedBy=multi-user.target

# 创建 /apps/nginx/run/ 目录
[root@CentOS84-Nginx-IP08 ]#mkdir /apps/nginx/run/

# 修改配置文件中的 apps/nginx/run/
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/nginx.conf
pid /apps/nginx/run/nginx.pid;

# 启动 Nginx 前查看其运行状态
[root@CentOS84-Nginx-IP08 ]#ss -tln
# 看不到80端口监听
[root@CentOS84-Nginx-IP08 ]#systemctl status nginx
[root@CentOS84-Nginx-IP08 ]#systemctl status nginx
● nginx.service - nginx - high performance web server
Loaded: loaded (/usr/lib/systemd/system/nginx.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Fri 2022-03-25 02:37:32 CST; 1s ago
Docs: http://nginx.org/en/docs/
# 网页服务也不可访问
[root@CentOS84-Nginx-IP08 ]#curl 192.168.250.8
curl: (7) Failed to connect to 192.168.250.8 port 80: Connection refused

# 通过服务启动文件启动 Nginx
[root@CentOS84-Nginx-IP08 ]#systemctl start nginx
# 验证网页可以正常访问，也看到相应的版本信息等
[root@CentOS84-Nginx-IP08 ]#curl -I 192.168.250.8
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 24 Mar 2022 18:40:37 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 24 Mar 2022 17:52:32 GMT
Connection: keep-alive
ETag: "623cafe0-264"
Accept-Ranges: bytes

[root@CentOS84-Nginx-IP08 ]#nginx -v
nginx version: nginx/1.18.0
[root@CentOS84-Nginx-IP08 ]#nginx -V
nginx version: nginx/1.18.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module
[root@CentOS84-Nginx-IP08 ]#

# 停掉 nginx 网页即不可访问了
[root@CentOS84-Nginx-IP08 ]#systemctl stop nginx
[root@CentOS84-Nginx-IP08 ]#curl -I 192.168.250.8
curl: (7) Failed to connect to 192.168.250.8 port 80: Connection refused

# 至此编译安装Nginx全部完成了

4.2 Nginx 平滑升级

下面将实践从 Nginx 1.18.0 升级到 1.20.2 版本的全过程

#### 平滑升级需要先启动好老版本1.18.0 ngnix ，这样才能演示不停机升级过程
# 确认 Nginx1.18.0 正常运行中，不停机情况下升级
[root@CentOS84-Nginx-IP08 ]#/apps/nginx/sbin/nginx
[root@CentOS84-Nginx-IP08 ]#ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process LISTEN 0 511 0.0.0.0:80 0.0.0.0:*

[root@CentOS84-Nginx-IP08 ]#curl -I 192.168.250.8
HTTP/1.1 200 OK
Server: nginx/1.18.0
Date: Thu, 24 Mar 2022 18:58:19 GMT
Content-Type: text/html
Content-Length: 612
Last-Modified: Thu, 24 Mar 2022 17:52:32 GMT
Connection: keep-alive
ETag: "623cafe0-264"
Accept-Ranges: bytes
[root@CentOS84-Nginx-IP08 ]#

# 下载 nginx-1.20.2.tar.gz 源码包，解压
[root@CentOS84-Nginx-IP08 ]#/usr/local/src
[root@CentOS84-Nginx-IP08 ]#wget http://nginx.org/download/nginx-1.20.2.tar.gz
[root@CentOS84-Nginx-IP08 ]#tar xvf nginx-1.20.2.tar.gz
[root@CentOS84-Nginx-IP08 ]#cd nginx-1.20.2

# 查看正在运行的版本和编译参数，这个编译参数需要在新版本中直接使用
[root@CentOS84-Nginx-IP08 ]#/apps/nginx/sbin/nginx -V
nginx version: nginx/1.18.0
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module
# configure arguments后面是以前旧版本编译时的参数，新版本编译使用一样的参数即可

# 用上面复制下来的编译参数
[root@CentOS84-Nginx-IP08 ]#./configure --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module


# 只要make ，不需要 make install
[root@CentOS84-Nginx-IP08 ]#make -j 4
make -f objs/Makefile
........................
make[1]: Leaving directory '/usr/local/src/nginx-1.20.2'
[root@CentOS84-Nginx-IP08 ]#objs/nginx -v
nginx version: nginx/1.20.2

# 查看新旧两个版本
[root@CentOS84-Nginx-IP08 ]#ll objs/nginx /apps/nginx/sbin/nginx
-rwxr-xr-x 1 nginx nginx 8628992 Mar 25 01:52 /apps/nginx/sbin/nginx
-rwxr-xr-x 1 root root 8805216 Mar 25 02:51 objs/nginx

# 备份就版本的二进制文件
[root@CentOS84-Nginx-IP08 ]#mv /apps/nginx/sbin/nginx /apps/nginx/sbin/nginx.old

#把新版本1.20.2 的nginx命令复制到/apps/nginx/sbin/ 下
[root@CentOS84-Nginx-IP08 ]#cp ./objs/nginx /apps/nginx/sbin/

# 进行配置文件的语法检查
[root@CentOS84-Nginx-IP08 ]#/apps/nginx/sbin/nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful#### USR2 平滑升级可执行程序，将存储有旧版本主进程ID的文件重命名为 nginx.pid.oldbin，跟着启动新的nginx。 此时两个master的进程都在运行,只是旧的master不在监听,由新的master监听80。 此时Nginx开启一个新的master进程，这个master进程会生成新的worker进程，这就是升级后的Nginx进程，此时老的进程不会自动退出，但是当接收到新的请求不作处理而是交给新的进程处理。

[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/run/nginx.pid
9136
[root@CentOS84-Nginx-IP08 ]#kill -USR2 `cat /apps/nginx/run/nginx.pid`
[root@CentOS84-Nginx-IP08 ]#ps auxf|grep nginx
root 9280 0.0 0.0 12136 1156 pts/0 S+ 03:09 0:00 \_ grep --color=auto nginx
root 9136 0.0 0.0 42580 2780 ? Ss 02:56 0:00 nginx: master process /apps/nginx/sbin/nginx.old
nginx 9137 0.0 0.1 77248 5176 ? S 02:56 0:00 \_ nginx: worker process
root 9277 0.0 0.1 42580 6180 ? S 03:09 0:00 \_ nginx: master process /apps/nginx/sbin/nginx.old
nginx 9278 0.0 0.1 77248 5056 ? S 03:09 0:00 \_ nginx: worker process

[root@CentOS84-Nginx-IP08 ]#lsof -i :80
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
nginx.old 9136 root 8u IPv4 41673 0t0 TCP *:http (LISTEN)
nginx.old 9137 nginx 8u IPv4 41673 0t0 TCP *:http (LISTEN)
nginx.old 9277 root 8u IPv4 41673 0t0 TCP *:http (LISTEN)
nginx.old 9278 nginx 8u IPv4 41673 0t0 TCP *:http (LISTEN)

#### 先关闭旧nginx的worker进程,而不关闭nginx主进程，万一有问题还可以方便回滚。向原Nginx主进程发送WINCH信号，它会逐步关闭旗下的工作进程（主进程不退出），这时所有请求都会由新版Nginx处理
[root@CentOS84-Nginx-IP08 ]#kill -WINCH `cat /apps/nginx/run/nginx.pid.oldbin`
[root@CentOS84-Nginx-IP08 ]#ps auxf|grep nginx
root 9304 0.0 0.0 12136 1068 pts/0 S+ 03:10 0:00 \_ grep --color=auto nginx
root 9136 0.0 0.0 42580 2780 ? Ss 02:56 0:00 nginx: master process /apps/nginx/sbin/nginx.old
root 9277 0.0 0.1 42580 6180 ? S 03:09 0:00 \_ nginx: master process /apps/nginx/sbin/nginx.old
nginx 9278 0.0 0.1 77248 5056 ? S 03:09 0:00 \_ nginx: worker process

[root@CentOS84-Nginx-IP08 ]#pstree -p|grep nginx
|-nginx.old(9136)---nginx.old(9277)---nginx.old(9278)

# 过一段时间测试，新版服务没问题，最后退出老版本的master
[root@CentOS84-Nginx-IP08 ]#kill -QUIT `cat /apps/nginx/run/nginx.pid.oldbin`
[root@CentOS84-Nginx-IP08 ]#nginx -v
nginx version: nginx/1.20.2
[root@CentOS84-Nginx-IP08 ]#nginx -V
nginx version: nginx/1.20.2
built by gcc 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)
built with OpenSSL 1.1.1k FIPS 25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#
# 至此已经升级到 1.20.2 版本Nginx

4.3 Nginx 实现多域名http虚拟主机

# 实现两个 http 的虚拟网站
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#mkdir /apps/nginx/conf/conf.d
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/nginx.conf
#user nobody;
worker_processes 1;
............... # 中间这段全是默认配置文件，再最下面加上一行，指定子配置文件的路径
#}
include /apps/nginx/conf/conf.d/*.conf;
}

# 配置文件语法预检查
[root@CentOS84-Nginx-IP08 ]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
[root@CentOS84-Nginx-IP08 ]#

#启动（或者重新启动）Nginx
[root@CentOS84-Nginx-IP08 ]#systemctl start nginx
[root@CentOS84-Nginx-IP08 ]#ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*

# 我们规划两个网站，一个是PC访问的 www.shone.cn ; 另外一个专门给手机访问的 m.shone.cn 网站。 先准备 PC访问的 www.shone.cn 的子配置文件
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/conf.d/pc.conf
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/pc.conf
server {
listen 80;
server_name www.shone.cn;
location / {
root /data/nginx/html/pc;
}
}

[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#mkdir -p /data/nginx/html/pc
[root@CentOS84-Nginx-IP08 ]#echo " ---- Test PC WEB ---- " > /data/nginx/html/pc/index.html
[root@CentOS84-Nginx-IP08 ]#systemctl reload nginx

[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/conf.d/mobile.conf
server {
listen 80;
server_name m.shone.cn;
location / {
root /data/nginx/html/mobile;
}
}

修改好WIN10机器 c:\windows\system32\drivers\etc 目录下的hosts文件，在最后加上下面这行

192.168.250.8 www.shone.cn m.shone.cn

在浏览器内可以输入 http://www.shone.cn 可以看到如下的页面

## 再创建一个 m.shone.cn 域名的子配置文件
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/mobile.conf
server {
listen 80;
server_name m.shone.cn;
location / {
root /data/nginx/html/mobile;
}
}
[root@CentOS84-Nginx-IP08 ]#mkdir -p /data/nginx/html/mobile
[root@CentOS84-Nginx-IP08 ]#echo " --- Mobile Web --- " >> /data/nginx/html/mobile/index.html
[root@CentOS84-Nginx-IP08 ]#systemctl reload nginx
[root@CentOS84-Nginx-IP08 ]#

测试验证 http:// m.shone.cn , 应该出现下面的页面的访问成功状态

4.4 Nginx 实现多域名https虚拟主机

4.4.1 https 简介

Web网站的登录页面都是使用https加密传输的，加密数据以保障数据的安全，HTTPS能够加密信息，以免敏感信息被第三方获取，所以很多银行网站或电子邮箱等等安全级别较高的服务都会采用HTTPS协议，HTTPS其实是有两部分组成：HTTP + SSL / TLS，也就是在HTTP上又加了一层处理加密信息的模块。服务端和客户端的信息传输都会通过TLS进行加密，所以传输的数据都是加密后的数据。

https 实现过程如下：
1.客户端发起HTTPS请求：
客户端访问某个web端的https地址，一般都是443端口
2.服务端的配置：
采用https协议的服务器必须要有一套证书，可以通过一些组织申请，也可以自己制作，目前国内很多网站都自己做的，当你访问一个网站的时候提示证书不可信任就表示证书是自己做的，证书就是一个公钥和私钥匙，就像一把锁和钥匙，正常情况下只有你的钥匙可以打开你的锁，你可以把这个送给别人让他锁住一个箱子，里面放满了钱或秘密，别人不知道里面放了什么而且别人也打不开，只有你的钥匙是可以打开的。
3.传送证书：
服务端给客户端传递证书，其实就是公钥，里面包含了很多信息，例如证书得到颁发机构、过期时间等等。
4.客户端解析证书：
这部分工作是有客户端完成的，首先回验证公钥的有效性，比如颁发机构、过期时间等等，如果发现异常则会弹出一个警告框提示证书可能存在问题，如果证书没有问题就生成一个随机值，然后用证书对该随机值进行加密，就像2步骤所说把随机值锁起来，不让别人看到。
5.传送4步骤的加密数据：
就是将用证书加密后的随机值传递给服务器，目的就是为了让服务器得到这个随机值，以后客户端和服务端的通信就可以通过这个随机值进行加密解密了。
6.服务端解密信息：
服务端用私钥解密5步骤加密后的随机值之后，得到了客户端传过来的随机值(私钥)，然后把内容通过该值进行对称加密，对称加密就是将信息和私钥通过算法混合在一起，这样除非你知道私钥，不然是无法获取其内部的内容，而正好客户端和服务端都知道这个私钥，所以只要机密算法够复杂就可以保证数据的安全性。
7.传输加密后的信息:
服务端将用私钥加密后的数据传递给客户端，在客户端可以被还原出原数据内容。
8.客户端解密信息：
客户端用之前生成的私钥获解密服务端传递过来的数据，由于数据一直是加密的，因此即使第三方获取到数据也无法知道其详细内容。

4.4.2 实现Nginx 多域名https虚拟主机

在上面 多域名http虚拟主机的基础上继续配置，实现Nginx 多域名https虚拟主机；同时实现访问http:// m.shone.cn 自动跳转 https:// m.shone.cn

4.4.2.1 实现 https://www.shone.cn 单个域名

https://www.shone.cn 和 http://www.shone.cn 都可访问的配置

# 自签名CA证书
[root@CentOS84-Nginx-IP08 ]#cd /apps/nginx/
[root@CentOS84-Nginx-IP08 ]#mkdir certs
[root@CentOS84-Nginx-IP08 ]#cd certs/
[root@CentOS84-Nginx-IP08 ]#pwd
/apps/nginx/certs
[root@CentOS84-Nginx-IP08 ]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
Generating a RSA private key
.................................++++
..........++++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家代码
State or Province Name (full name) []:NANJING #省份
Locality Name (eg, city) [Default City]:NANJING #城市
Organization Name (eg, company) [Default Company Ltd]:SHONE #公司
Organizational Unit Name (eg, section) []:IT #部门
Common Name (eg, your name or your server's hostname) []:ca.shone.cn
Email Address []:1050572574@qq.com #邮箱
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#ll ca.crt
-rw-r--r-- 1 root root 2118 Mar 24 20:46 ca.crt

# 自制key和csr文件
[root@CentOS84-Nginx-IP08 ]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.shone.cn.key -out www.shone.cn.csr
Generating a RSA private key
....................................++++
...................................................++++
writing new private key to 'www.shone.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:NANJING
Locality Name (eg, city) [Default City]:NANJING
Organization Name (eg, company) [Default Company Ltd]:SHONE
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:www.shone.cn
Email Address []:1050572574@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@CentOS84-Nginx-IP08 ]#
[root@CentOS84-Nginx-IP08 ]#ll
total 16
-rw-r--r-- 1 root root 2118 Mar 24 20:46 ca.crt
-rw------- 1 root root 3272 Mar 24 20:45 ca.key
-rw-r--r-- 1 root root 1740 Mar 24 20:48 www.shone.cn.csr
-rw------- 1 root root 3272 Mar 24 20:47 www.shone.cn.key

# 签发证书
[root@CentOS84-Nginx-IP08 ]#openssl x509 -req -days 3650 -in www.shone.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.shone.cn.crt
Signature ok
subject=C = CN, ST = NANJING, L = NANJING, O = SHONE, OU = IT, CN = www.shone.cn, emailAddress = 1050572574@qq.com
Getting CA Private Key

# 验证证书内容
[root@CentOS84-Nginx-IP08 ]#openssl x509 -in www.shone.cn.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
5d:1f:01:56:c6:85:3b:8b:bc:da:3d:87:d5:39:50:d2:4b:83:54:46
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = NANJING, L = NANJING, O = SHONE, OU = IT, CN = ca.shone.cn, emailAddress = 1050572574@qq.com
Validity
Not Before: Mar 24 12:49:58 2022 GMT
Not After : Mar 21 12:49:58 2032 GMT
Subject: C = CN, ST = NANJING, L = NANJING, O = SHONE, OU = IT, CN = www.shone.cn, emailAddress = 1050572574@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:c5:dd:21:28:e8:14:ec:54:29:0a:cb:ac:d9:1d:
94:e4:7d:9c:36:4f:57:79:76:5c:c1:70:f3:2d:ff:
c2:16:91:0e:2e:67:43:64:79:29:43:f8:70:72:2b:
9e:b3:21:dc:7c:99:9d:0c:8f:0a:16:67:15:2e:50:
51:1f:d1:5a:34:ca:5b:4e:1a:87:5e:ea:3b:f8:ae:
c7:18:02:27:18:ff:8e:a4:45:c8:ff:0d:cf:70:9c:
14:37:87:3f:33:ae:0d:36:6a:9f:67:83:8b:ce:53:
4e:9c:55:08:dd:fa:91:56:27:da:60:17:b0:61:12:
3c:71:a1:df:51:33:35:ab:3b:d9:91:a2:39:99:59:
3b:6e:63:af:5c:81:10:ed:2f:81:18:4a:46:29:72:
7f:62:cf:91:2d:b7:52:8f:e9:d7:46:9b:d1:59:d0:
81:e2:19:08:d1:ca:03:98:ea:2d:d3:d0:89:26:8e:
62:c3:db:a6:35:54:5f:e6:3a:85:64:d2:ce:ee:92:
40:6a:fa:bd:88:10:b6:06:77:6c:72:24:d3:6d:78:
52:a6:5e:e3:d2:33:bc:b2:fa:23:c4:2d:8f:3c:02:
de:f5:e1:df:13:32:80:1a:d7:35:a0:9d:93:d0:43:
27:79:34:f3:bf:00:d8:a3:09:86:a7:0b:36:69:a1:
31:c5:04:d7:cc:76:15:5f:fc:0c:b7:d5:6e:09:de:
d1:d6:99:d1:32:31:a2:f2:5f:d8:ee:b9:2a:4a:b7:
23:00:d4:73:97:c4:86:7b:1f:5e:1b:52:64:03:60:
65:3f:aa:ef:b8:08:07:4b:2d:5d:bc:7d:33:6a:7f:
47:24:f9:27:8d:98:d0:36:f3:cd:aa:34:a6:93:47:
7e:f7:de:22:5f:03:57:37:92:c3:46:dc:15:55:e0:
e1:2e:62:be:1a:da:04:d9:e6:6c:bb:0e:11:58:a4:
f7:98:5b:2f:9d:b8:db:75:f5:3b:15:32:4a:12:1f:
96:c0:f6:23:cb:21:d6:d7:d3:a7:a7:22:c7:0b:5a:
fd:fa:af:7b:c1:98:57:35:51:96:65:26:6f:32:e9:
57:8f:ca:97:74:ce:6d:00:1b:b5:e2:4b:e7:4d:8d:
1d:54:9c:70:6e:14:00:25:01:3e:13:a9:09:5c:87:
77:8a:9e:94:9a:7c:0e:c9:e0:e7:dc:1d:98:19:26:
70:e8:0e:8c:e9:f2:30:80:9b:ba:4d:dd:dc:ca:5a:
80:cf:dd:ea:32:48:b3:e2:4b:49:d9:62:b7:0a:10:
55:eb:50:06:fa:10:dc:e3:76:f7:8c:2c:67:16:ff:
30:55:c5:53:d2:89:6e:a7:fa:c7:d7:f0:72:a5:56:
9e:59:05
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
7c:53:19:b6:de:30:d4:56:8a:37:59:64:72:89:91:cb:77:bd:
3b:a6:53:84:71:d4:5e:a0:48:6e:ce:8a:bd:98:7b:0e:0b:54:
87:f1:5a:b6:de:e7:f3:e2:78:7b:fc:e7:2d:57:a3:72:5b:4a:
f0:b5:02:2c:cf:b4:47:21:c4:27:9c:34:e1:9b:ad:e8:dc:ab:
0d:c9:35:39:0f:58:88:db:54:c7:8f:00:ec:07:af:db:f4:88:
14:d7:21:69:64:68:5e:a2:9b:01:53:21:0b:98:01:c8:cf:d1:
68:bd:68:fa:4a:8d:85:ac:e9:ed:88:29:be:97:85:c6:2a:9f:
7f:2f:eb:9e:96:2c:3f:4e:b4:68:0f:17:c6:86:e1:17:a5:08:
14:e2:c7:e4:f9:2a:b5:a9:1b:3c:eb:f2:de:12:74:36:1b:50:
7d:1d:89:f8:c4:16:98:be:06:eb:3c:a1:02:38:01:e0:3a:e9:
e4:2a:8f:f4:0f:a8:27:cf:c8:91:0c:a4:a4:63:b2:d2:e5:e8:
a1:e7:a9:c9:b7:55:45:c2:30:7d:a0:c1:e4:4d:e0:55:8b:8f:
de:88:95:ad:a1:5c:38:e1:91:9c:ef:d7:38:e4:68:15:03:ee:
79:e5:47:d7:2f:82:5e:5f:8b:87:e5:9f:d1:83:32:9a:ac:61:
fa:f1:ef:99:50:c9:df:85:50:9b:e2:13:88:c7:8b:73:89:11:
ff:17:16:87:a6:f1:33:b5:54:09:f4:8d:55:a7:2b:0d:b1:0a:
ea:5e:86:ba:fc:24:68:58:ed:dc:12:d4:26:be:2a:23:27:57:
bd:7b:ec:c4:ea:ed:c8:77:d1:52:06:57:cd:c2:80:69:2f:75:
3b:8e:bd:5e:e5:ba:cc:40:69:8b:0b:22:b2:3a:1b:2e:04:b9:
fa:d0:42:3b:24:12:4a:68:94:7c:9f:79:62:39:48:e8:87:13:
53:71:e0:0a:74:55:ca:e6:02:42:06:4e:da:71:cd:37:30:a1:
9d:d4:64:46:28:9c:07:f1:93:e2:a8:4f:9f:34:51:f7:5d:ad:
7a:2a:e1:4a:91:b9:d3:c8:1b:ec:4d:d0:5a:01:33:10:56:c2:
81:c4:2e:d2:63:c0:e8:a5:c7:4d:9b:da:a9:4c:3a:56:84:1d:
96:8a:71:d8:e2:17:55:20:11:a5:d8:e0:b6:ea:ed:1e:41:f7:
72:fb:cd:c2:d6:70:91:31:ab:58:69:a7:03:c9:36:2b:d2:6e:
e9:75:89:2a:4d:07:9c:a2:65:4b:c4:bf:59:14:03:8a:2f:cd:
b0:99:b5:47:4c:93:23:01:3d:66:f1:51:5f:19:51:63:9e:f1:
0c:2b:1d:8c:4a:0d:b3:dc

# 合并CA和服务器证书成一个文件,注意服务器证书在前
[root@CentOS84-Nginx-IP08 ]#cat www.shone.cn.crt ca.crt > www.shone.cn.pem

# 再上面http多域名的虚拟主机的基础上开始修改成多域名的https虚拟主机配置文件
[root@CentOS84-Nginx-IP08 ]#ll /apps/nginx/conf/conf.d/
total 8
-rw-r--r-- 1 root root 91 Mar 24 20:35 mobile.conf
-rw-r--r-- 1 root root 89 Mar 24 20:27 pc.conf
[root@CentOS84-Nginx-IP08 ]#ll /apps/nginx/conf/conf.d/pc.conf
-rw-r--r-- 1 root root 89 Mar 24 20:27 /apps/nginx/conf/conf.d/pc.conf

# 下面这个是先前的http多域名的虚拟主机的子配置文件，需要修改
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/pc.conf
server {
listen 80;
server_name www.shone.cn;
location / {
root /data/nginx/html/pc;
}
}
# 修改成 支持http 和 https 访问的子配置文件如下
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/conf.d/pc.conf
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/pc.conf
server {
listen 80;
listen 443 ssl;
ssl_certificate /apps/nginx/certs/www.shone.cn.pem;
ssl_certificate_key /apps/nginx/certs/www.shone.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
server_name www.shone.cn;
location / {
root /data/nginx/html/pc;
}
}
[root@CentOS84-Nginx-IP08 ]#

​访问验证​

4.4.2.2 实现 https://m.shone.cn

Nginx 支持基于单个IP实现多域名的功能，并且还支持单IP多域名的基础之上实现HTTPS，其实是基于

Nginx的 SNI（Server Name Indication）功能实现，SNI是为了解决一个Nginx服务器内使用一个IP绑定

多个域名和证书的功能，其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名

（Hostname），这样服务器再根据这个域名返回给客户端一个合适的证书。

先实现https证书等配置 ， 再实现访问 http://m.shone.cn 自动跳转 https://m.shone.cn

# 自签名CA证书 在做 https://www.shone.cn 已经完成，再此基础上制作m.shone.cn的key和csr文件
#制作key和csr文件
[root@CentOS84-Nginx-IP08 ]#pwd
/apps/nginx/certs
[root@CentOS84-Nginx-IP08 ]#openssl req -newkey rsa:4096 -nodes -sha256 -keyout m.shone.cn.key -out m.shone.cn.csr
Generating a RSA private key
................................................................................................................++++
...++++
writing new private key to 'm.shone.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:JIANGSU
Locality Name (eg, city) [Default City]:NANJING
Organization Name (eg, company) [Default Company Ltd]:SHONE
Organizational Unit Name (eg, section) []:IT
Common Name (eg, your name or your server's hostname) []:m.shone.cn
Email Address []:1050572574@qq.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

# 签名证书
[root@CentOS84-Nginx-IP08 ]#openssl x509 -req -days 3650 -in m.shone.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out m.shone.cn.crt
Signature ok
subject=C = CN, ST = JIANGSU, L = NANJING, O = SHONE, OU = IT, CN = m.shone.cn, emailAddress = 1050572574@qq.com
Getting CA Private Key

# 验证证书内容
[root@CentOS84-Nginx-IP08 ]#openssl x509 -in m.shone.cn.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
5d:1f:01:56:c6:85:3b:8b:bc:da:3d:87:d5:39:50:d2:4b:83:54:47
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = NANJING, L = NANJING, O = SHONE, OU = IT, CN = ca.shone.cn, emailAddress = 1050572574@qq.com
Validity
Not Before: Mar 24 13:11:01 2022 GMT
Not After : Mar 21 13:11:01 2032 GMT
Subject: C = CN, ST = JIANGSU, L = NANJING, O = SHONE, OU = IT, CN = m.shone.cn, emailAddress = 1050572574@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:d4:10:95:d8:31:72:8f:c6:1d:19:77:b2:09:72:
93:43:e2:79:39:87:71:67:af:bf:7a:37:0b:55:de:
42:48:9a:33:43:15:39:ea:70:2b:21:0b:e0:2b:a9:
4f:8a:06:75:c1:21:4b:a0:68:22:53:f2:80:dd:b5:
b3:56:0c:e5:e8:6d:ac:e6:13:a2:b1:cb:04:82:f5:
8f:0e:fb:57:02:8c:04:83:b8:c4:2d:76:6a:2e:97:
3b:93:fc:e6:d5:5f:f5:c6:be:5e:79:d0:24:9c:61:
61:01:d9:7e:bf:09:74:99:4b:d8:c7:b1:95:f5:6b:
a2:b9:cf:24:03:b9:7d:90:b5:f2:9e:d3:bc:e3:0c:
a3:8c:c0:08:30:b4:b8:3a:06:12:6c:93:f3:3e:60:
54:d4:47:be:e1:ef:52:8b:16:4b:8c:45:86:81:0d:
66:d2:5b:dd:c7:e3:6e:d4:7e:8f:03:b7:a4:c4:3e:
0a:b9:68:33:03:f7:41:30:de:db:a2:c0:de:4a:ce:
71:02:95:5f:5f:1a:90:34:6b:c8:18:47:2e:70:ed:
1b:4f:5c:7f:2e:fd:3f:8b:22:44:d6:2a:fd:68:37:
d5:a6:69:9c:9a:be:c6:61:c7:d4:66:2e:07:5c:44:
36:49:c5:92:1b:33:ff:f8:ec:3d:c3:4e:69:11:df:
5c:b5:2d:5d:4c:35:86:b3:b7:a2:46:6e:e9:1a:f9:
6d:33:98:c7:38:fc:27:20:b5:01:25:df:e7:0f:0c:
c3:7c:bf:52:a2:da:87:40:42:ca:23:7c:69:7d:f1:
a6:73:b6:d4:b6:c6:7c:04:ff:c9:f9:ec:e1:14:c1:
65:41:08:4c:40:45:1b:67:66:0b:b3:30:b8:a7:db:
4a:f5:60:14:e4:54:af:9f:90:db:28:6c:ee:5d:8b:
7d:b6:ee:15:69:57:39:04:08:1d:88:8a:a0:f9:5e:
9d:d4:c4:1b:43:e4:30:a5:2f:53:bd:b9:d3:a1:0a:
27:bf:23:31:70:14:e8:de:cc:a8:00:3d:83:e6:52:
4d:cb:30:c8:46:e4:fe:2b:10:0e:11:eb:fe:c4:87:
0c:5b:dd:00:28:3c:c2:14:f9:b1:45:e6:a2:b3:ef:
3c:16:c8:b4:16:8c:1a:35:56:bd:38:ce:d9:84:45:
16:99:83:1d:93:cf:5d:b3:d1:5c:5a:1f:55:99:7e:
9a:8a:8e:c5:0c:f1:ec:fa:7b:fe:3e:6f:89:7a:47:
5d:9c:2a:d4:e1:f1:cb:76:63:8e:1d:e3:d9:a0:5a:
8f:12:7e:15:75:08:80:a8:93:69:f1:73:54:a1:58:
af:89:3c:0e:3b:0f:2a:ee:43:41:0d:94:c1:fe:cb:
d2:52:d5
Exponent: 65537 (0x10001)
Signature Algorithm: sha256WithRSAEncryption
0d:2e:cc:86:29:8f:1d:29:cc:a9:60:31:a4:a4:52:4c:33:94:
3a:0c:cc:03:64:ed:46:67:95:7a:fb:d9:c1:78:0f:46:69:f1:
c4:d6:f5:3f:c4:e0:e2:22:a7:82:4b:82:e3:6e:85:33:70:a7:
42:bf:64:95:31:1e:66:54:bd:5a:4f:27:0e:d3:03:13:28:11:
2f:32:4d:0d:2d:bd:34:04:b4:00:5e:6f:16:d6:3f:c1:8e:17:
c2:5a:5e:70:8a:56:44:56:89:5b:4f:c0:2c:e5:ab:cf:16:6e:
93:f5:3e:ce:c8:02:a4:fe:b1:46:a8:8b:11:9e:d2:05:82:c8:
ee:40:78:f1:30:02:3c:ec:a8:a5:0d:d9:93:a2:63:75:e2:0a:
27:8d:7d:b1:2e:35:7f:ee:e0:6c:60:38:ff:f0:93:91:6d:3d:
ad:e3:ad:59:52:59:38:f5:fa:16:3d:dc:8a:84:8a:3c:0f:4d:
ce:9a:a5:00:2b:58:3e:68:1a:61:0b:c9:a2:17:43:a5:2d:a1:
8b:ba:42:d8:5e:b9:04:a4:bd:69:82:fe:d6:a2:62:4c:70:4b:
bb:f9:8b:2a:9f:06:8d:33:90:59:20:eb:21:58:d1:2b:bc:01:
cb:6d:86:29:f3:81:af:78:5e:28:7b:c9:02:5e:53:cd:a5:9b:
23:46:3d:5b:d5:54:1a:23:76:95:b0:e8:ea:ae:96:45:3c:2f:
6a:94:60:9c:a8:21:3f:7d:e9:d0:fc:81:75:c7:b8:ef:d7:1e:
a9:a6:d8:a3:a5:c6:b4:ca:84:16:52:13:82:3b:d3:4d:77:be:
53:22:58:54:a0:b3:82:2f:b9:07:6d:0e:a4:55:4d:7f:14:de:
ef:8d:b0:fa:ab:3d:55:ee:d7:e1:a2:f7:01:54:d9:27:47:a6:
eb:5a:df:c7:69:d3:ff:31:17:a2:02:26:f1:b0:5b:53:71:fc:
7f:c0:bb:c9:a1:d2:57:e6:25:0d:fc:4b:11:ba:cd:4e:da:3a:
d9:78:3c:d1:d8:4c:3f:53:5e:0b:71:89:68:cf:e0:f8:17:5b:
f7:3c:d5:21:33:f7:35:68:48:26:7f:ad:c9:7e:c1:0e:2c:db:
d3:61:e7:8f:06:92:02:31:48:61:c3:98:fe:8c:4e:39:6e:3e:
a8:59:15:42:6c:8c:e0:48:24:f8:11:8b:65:ff:79:ba:41:4f:
34:cb:ce:9d:b8:ad:e7:90:e4:48:61:2e:b1:3a:68:27:90:44:
51:c9:37:d3:20:a2:d9:a4:a6:4a:a7:64:6a:69:5f:b5:b7:11:
89:4b:1a:e9:c7:5b:5f:81:d4:87:0b:88:ed:ba:ea:ed:27:38:
a4:c2:e3:53:59:73:60:67

# 合并证书文件
[root@CentOS84-Nginx-IP08 ]#cat m.shone.cn.crt ca.crt > m.shone.cn.pem
[root@CentOS84-Nginx-IP08 ]#ll
total 52
-rw-r--r-- 1 root root 2118 Mar 24 20:46 ca.crt
-rw------- 1 root root 3272 Mar 24 20:45 ca.key
-rw-r--r-- 1 root root 41 Mar 24 21:11 ca.srl
-rw-r--r-- 1 root root 1996 Mar 24 21:11 m.shone.cn.crt
-rw-r--r-- 1 root root 1740 Mar 24 21:10 m.shone.cn.csr
-rw------- 1 root root 3272 Mar 24 21:09 m.shone.cn.key
-rw-r--r-- 1 root root 4114 Mar 24 21:11 m.shone.cn.pem
-rw-r--r-- 1 root root 1996 Mar 24 20:49 www.shone.cn.crt
-rw-r--r-- 1 root root 1740 Mar 24 20:48 www.shone.cn.csr
-rw------- 1 root root 3272 Mar 24 20:47 www.shone.cn.key
-rw-r--r-- 1 root root 4114 Mar 24 20:52 www.shone.cn.pem
[root@CentOS84-Nginx-IP08 ]#

## 在原先的http://m.shone.cn的子配置文件基础上添加ssl和自动转跳的配置
# 原先的http://m.shone.cn 的子配置文件
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/mobile.conf
server {
listen 80;
server_name m.shone.cn;
location / {
root /data/nginx/html/mobile;
}
}
[root@CentOS84-Nginx-IP08 ]#

# 修改 子配置文件，增加ssl和自动转跳的配置
[root@CentOS84-Nginx-IP08 ]#vim /apps/nginx/conf/conf.d/mobile.conf
[root@CentOS84-Nginx-IP08 ]#cat /apps/nginx/conf/conf.d/mobile.conf
server {
listen 80 default_server;
server_name m.shone.cn;
rewrite ^(.*)$ https://$server_name$1 permanent;
}

server {
listen 443 ssl;
server_name m.shone.cn;
ssl_certificate /apps/nginx/certs/m.shone.cn.pem;
ssl_certificate_key /apps/nginx/certs/m.shone.cn.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
root /data/nginx/html/mobile;
}
}
[root@CentOS84-Nginx-IP08 ]#
# 重启 nginx 让配置生效
[root@CentOS84-Nginx-IP08 ]#systemctl reload nginx

​访问验证： 输入 http://m.shone.cn 自动跳转到 https://m.shone.cn​

【本文来源：香港服务器租用 http://www.558idc.com/st.html欢迎留下您的宝贵建议】