This article first appeared on my personal blog: https://staunchkai.com
My server is Tencent cloud domain name is Ali cloud, this article is used to record Hexo blog open httpsprocess.
Obtain a certificate
Here SSL 证书I chose Tencent cloud 免费版 DV, valid for one year.
Tencent cloud certificate application process, click here to view it.
After verifying domain ownership approval, you can resolve records deleted. The certificate management office to download the certificate.
After downloading the structure of the extract from the certificate should be as follows:
- staunchkai.com
- Apache
- IIS
- Nginx
- Tomcat
- staunchkai.com.csr
I'm using Nginx, so I only get two files in the directory Nginx, respectively, .crtfiles and .keydocuments.
Upload the certificate to the server
Create a folder on the server for storing the certificate file, my path is: /home/SSL.
Use git bashthe two files uploaded to the server /home/SSLin.
scp 本地
文件路径 USERNAME@SERVER:/home/SSL
USERNAMEPresentation server users. SERVERMeans that the server IP.
Certificate Installation
Edit the Nginxconfiguration file, I was /etc/nginx/nginx.conf, by nginx -tviewing command. In listen 80the serverlater addition of the following:
server {
listen 443;
server_name staunchkai.com; # 填写绑定证书的域名
ssl on;
ssl_certificate /home/SSL/1_bundle.crt;
ssl_certificate_key /home/SSL/2_key.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # 按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # 按照这个套件配置
ssl_prefer_server_ciphers on;
location / {
root /home/hexo; # 站点目录
index index.html index.htm;
}
}
After the configuration, use the nginx -tcommand detection is wrong, the correct use of systemctl restart nginx.servicethe restart Nignx. Re-use with httpsdomain name can be accessed.
Note:
| Profile parameters | Explanation |
|---|---|
| listen 443 | SSL access port number is 443 |
| ssl on | Enable SSL |
| ssl_certificate | Certificate file |
| ssl_certificate_key | Private key file |
| ssl_protocols | The protocol used |
| ssl_ciphers | Configuring Cipher Suite, written following the standard openssl |
The station using encryption, http automatically jump to https
For users do not know the site may be httpsunder access cases, you can let the server automatically httpredirect requests to https. It can be jsachieved, then the server can also be realized jump. Nginx support rewrite, editing Nginxconfiguration files, in listen 80the serveradd statement, as follows:
listen 80 default_server;
listen [::]:80 default_server;
server_name staunchkai.com;
root /home/hexo;
rewrite ^(.*) https://staunchkai.com$1 permanent; # 添加的语句
Restart Nginx, so that you can realize 80incoming request, redirect httpsthe.
