server {
        listen 80;
        return 301 https://$host$request_uri;

server {
        listen 443 ssl;

        ssl_certificate /path/to/cert.cert
        ssl_certificate_key /path/to/cert_key.key;

        ssl_prefer_server_ciphers on;

        ssl_session_cache   shared:SSL:10m;
        ssl_session_timeout 10m;
        keepalive_timeout   70;

        # and then the `location /` serving static files



引自What exactly does “every SSL certificate requires a dedicated IP” mean?

When securing some connection with TLS, you usually use the certificate to authenticate the server (and sometimes the client). There’s one server per IP/Port, so usually there’s no problem for the server to choose what certificate to use. HTTPS is the exception — several different domain names can refer to one IP and the client (usually a browser) connects to the same server for different domain names. The domain name is passed to the server in the request, which goes after TLS handshake. Here’s where the problem arises – the web server doesn’t know which certificate to present. To address this a new extension has been added to TLS, named SNI (Server Name Indication). However, not all clients support it. So in general it’s a good idea to have a dedicated server per IP/Port per domain. In other words, each domain, to which the client can connect using HTTPS, should have its own IP address (or different port, but that’s not usual).


转载注明原文:Nginx提供另一个站点的SSL证书 - 代码日志