证书为阿里云免费证书,下载 for nginx 版本。
1.编译 nginx,以支持 SSL
下载稳定版包:
# wget http://nginx.org/download/nginx-1.12.2.tar.gz
解压包:
# tar -zxvf nginx-1.12.2.tar.gz
还需要环境:
# yum install -y pcre pcre-devel
# yum install gcc-c++
# yum install -y zlib zlib-devel
# yum install -y openssl openssl-devel
编译安装:
# cd ../nginx1.12
# ./configure --prefix=/usr/local/nginx --with-http_ssl_module // 加上http的ssl支持模块
# make
# make install
2.gunicorn 原配置文件不变(可以不配置 gunicorn 的两个证书参数),只需要更改 nginx 配置文件 /usr/local/nginx/conf/nginx.conf
nginx 配置文件主要是两个 server 配置
server {
listen 80;
server_name www.zhblog.net;
return 301 https://$host$request_uri;
}
server {
listen 443;
server_name www.zhblog.net;
ssl on;
ssl_certificate ../cert/215057378170740.pem;
ssl_certificate_key ../cert/215057378170740.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:443;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Port 443;
proxy_set_header X-Forwarded-Proto https;
proxy_read_timeout 300s;
proxy_pass http://127.0.0.1:8000;
}
}
重启 nginx
/usr/local/nginx/sbin/nginx -s stop
/usr/local/nginx/sbin/nginx -c conf/nginx.conf # 加载上面配置好的 nginx.conf 文件
3.开放端口
firewall-cmd --zone=public --add-port=80/tcp --permanent
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --zone=public --remove-port=5000/tcp --permanent # 测试端口删除
