This article first appeared on my personal blog: https://staunchkai.com
My server is Tencent cloud domain name is Ali cloud, this article is used to record Hexo blog open https
process.
Obtain a certificate
Here SSL 证书
I chose Tencent cloud 免费版 DV
, valid for one year.
Tencent cloud certificate application process, click here to view it.
After verifying domain ownership approval, you can resolve records deleted. The certificate management office to download the certificate.
After downloading the structure of the extract from the certificate should be as follows:
- staunchkai.com
- Apache
- IIS
- Nginx
- Tomcat
- staunchkai.com.csr
I'm using Nginx
, so I only get two files in the directory Nginx, respectively, .crt
files and .key
documents.
Upload the certificate to the server
Create a folder on the server for storing the certificate file, my path is: /home/SSL
.
Use git bash
the two files uploaded to the server /home/SSL
in.
scp 本地
文件路径 USERNAME@SERVER:/home/SSL
USERNAME
Presentation server users. SERVER
Means that the server IP.
Certificate Installation
Edit the Nginx
configuration file, I was /etc/nginx/nginx.conf
, by nginx -t
viewing command. In listen 80
the server
later addition of the following:
server {
listen 443;
server_name staunchkai.com; # 填写绑定证书的域名
ssl on;
ssl_certificate /home/SSL/1_bundle.crt;
ssl_certificate_key /home/SSL/2_key.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # 按照这个套件配置
ssl_prefer_server_ciphers on;
location / {
root /home/hexo; # 站点目录
index index.html index.htm;
}
}
After the configuration, use the nginx -t
command detection is wrong, the correct use of systemctl restart nginx.service
the restart Nignx. Re-use with https
domain name can be accessed.
Note:
Profile parameters | Explanation |
---|---|
listen 443 | SSL access port number is 443 |
ssl on | Enable SSL |
ssl_certificate | Certificate file |
ssl_certificate_key | Private key file |
ssl_protocols | The protocol used |
ssl_ciphers | Configuring Cipher Suite, written following the standard openssl |
The station using encryption, http automatically jump to https
For users do not know the site may be https
under access cases, you can let the server automatically http
redirect requests to https
. It can be js
achieved, then the server can also be realized jump. Nginx support rewrite
, editing Nginx
configuration files, in listen 80
the server
add statement, as follows:
listen 80 default_server;
listen [::]:80 default_server;
server_name staunchkai.com;
root /home/hexo;
rewrite ^(.*) https://staunchkai.com$1 permanent; # 添加的语句
Restart Nginx, so that you can realize 80
incoming request, redirect https
the.