When it comes to nginx server, I personally think that the biggest feature is light weight and high performance. After testing on several different servers, it was found that its concurrency capability is particularly strong, and relatively speaking, it eats much less memory. It is now the preferred HTTP and reverse proxy server for most webmasters. The webmaster’s own website, including the enterprise server operation and maintenance service, uses Nginx, and Apache can of course.
1. Nginx SSL module installation
Check whether nginx installs the http_ssl_module module.
$ /usr/local/nginx/sbin/nginx -V
If configure arguments: –with-http_ssl_module appears, it is already installed (the following steps can be skipped and enter nginx.conf configuration).
Download the Nginx installation package, of course, go to the Nginx official website to download.
Download the installation package to the src directory
$ cd /usr/local/src
$ wget http://nginx.org/download/nginx-1.15.9.tar.gz
Unzip the installation package.
$ tar -zxvf nginx-1.15.9.tar.gz
Configure the SSL module.
$ cd nginx-1.15.9
$ ./configure --prefix=/usr/local/nginx --with-http_ssl_module
Use the make command to compile (using make install will reinstall nginx), and the objs folder will appear in the current directory.
Overwrite the current nginx file with the new nginx file.
$ cp ./objs/nginx /usr/local/nginx/sbin/
Check the installed module again (configure arguments: –with-http_ssl_module indicates that the ssl module is installed).
$ /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.15.9
...
configure arguments: --with-http_ssl_module
2. SSL certificate deployment
The free certificate of Alibaba Cloud is used here . The term is 1 year. The application address is here .
Download the applied ssl certificate file compression package to the local and decompress it (the pem and key file used here, the file name can be changed).
Create a new cert folder in the nginx directory to store the certificate files.
$ cd /usr/local/nginx
$ mkdir cert
Upload these two files to the cert directory of the server.
Use the scp command to upload to the server from the mac terminal here (you need to open a new terminal here, do not use the window to connect to the server):
$ scp /Users/yourname/Downloads/ssl.pem [email protected]:/usr/local/nginx/cert/
$ scp /Users/yourname/Downloads/ssl.key [email protected]:/usr/local/nginx/cert/
scp [local file path, you can drag the file directly into the terminal] [<server login name>@<server IP address>:<path on the server>]
Three, Nginx.conf configuration
Edit the /usr/local/nginx/conf/nginx.conf configuration file:
Configure https server. Comment out the previous http server configuration and add https server:
server {
# 服务器端口使用443,开启ssl, 这里ssl就是上面安装的ssl模块
listen 443 ssl;
# 域名,多个以空格分开
server_name hack520.com www.hack520.com;
# ssl证书地址
ssl_certificate /usr/local/nginx/cert/ssl.pem; # pem文件的路径
ssl_certificate_key /usr/local/nginx/cert/ssl.key; # key文件的路径
# ssl验证相关配置
ssl_session_timeout 5m; #缓存有效期
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #加密算法
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #安全链接可选的加密协议
ssl_prefer_server_ciphers on; #使用服务器端的首选算法
location / {
root html;
index index.html index.htm;
}
}
Redirect http to https.
server {
listen 80;
server_name hack520.com www.hack520.com;
return 301 https://$server_name$request_uri;
}
Fourth, restart nginx
$ /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
If port 80 is occupied, use kill [id] to end the process:
# 查看端口使用
$ netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 21307/nginx: master
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3072/sshd
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 21307/nginx: master
# 结束 80 端口进程
$ kill 21307
Restart nginx again:
$ /usr/local/nginx/sbin/nginx -c /usr/local/nginx/conf/nginx.conf
or:
service nginx restart