[nginx][tls] nginx配置https与ssl/tls的sni的方法

2023-06-15 15:32•Java教程•阅读 3398

一 https的sni配置方法

http {
}
server {
listen 443 ssl;
server_name test1.www.local test1.tls.local;
ssl_certificate /root/sni/sni_test1.cer;
ssl_certificate_key /root/sni/sni_test1.key;
location / {
root /data/www;
}
}
server {
listen 443 ssl;
server_name test2.www.local test2.tls.local;
ssl_certificate /root/sni/sni_test2.cer;
ssl_certificate_key /root/sni/sni_test2.key;
location / {
root /data/www;
}
}
server {
listen 443 ssl;
server_name test3.www.local test3.tls.local;
ssl_certificate /root/sni/sni_test3.cer;
ssl_certificate_key /root/sni/sni_test3.key;
location / {
root /data/www;
}
}
}

二 https的sni配置方法

http {
#map \$server_name \$sni_string {
map \$ssl_server_name \$sni_string {
test1.www.local test1;
test2.www.local test2;
test3.www.local test3;
# default xxx;
}
server {
listen 443 ssl;
ssl_certificate /data/sni/sni_\${sni_string}.cer;
ssl_certificate_key /data/sni/sni_\${sni_string}.key;
location / {
root /data/www;
}
}
}

三 tls的sni配置方法

stream {
upstream test {
server 127.0.0.1:50001;
}
map \$ssl_server_name \$sni_string {
test1.www.local test1;
test2.www.local test2;
test3.www.local test3;
default test1;
}
server {
listen 444 ssl;
ssl_certificate /data/sni/sni_\${sni_string}.cer;
ssl_certificate_key /data/sni/sni_\${sni_string}.key;
proxy_pass test;
}
}

四复合情况下sni的配置方法

复合情况是指，多个server使用了相同的server name，又需要配置不同的证书文件时。

使用map定义多个不同的变量映射的方法，可以支持多个server的情况，如下，分别定义了两个变量 $sni_string 与 $sni_string445

用来处理不同的server。

stream {
upstream test {
server 127.0.0.1:50001;
}
map \$ssl_server_name \$sni_string {
test1.www.local test1;
test2.www.local test2;
test3.www.local test3;
default test1;
}
map \$ssl_server_name \$sni_string445 {
test1.www.local test4451;
test2.www.local test4452;
test3.www.local test4453;
default test4451;
}
server {
listen 444 ssl;
ssl_certificate /data/sni/sni_\${sni_string}.cer;
ssl_certificate_key /data/sni/sni_\${sni_string}.key;
proxy_pass test;
}
server {
listen 445 ssl;
ssl_certificate /data/sni445/sni_\${sni_string445}.cer;
ssl_certificate_key /data/sni445/sni_\${sni_string445}.key;
proxy_pass test;
}
}

[author: classic_tong, date: 20190925]

上一篇 »pip is configured with locations that require TLS/SSL, however the ssl module in Python is not
下一篇 »Nginx支持websocket的配置详解