Log in to the Nginx server.
For example, you can use remote login tools (such as PuTTY, Xshell) to log in to the server.
Execute the following command to create a directory (named cert) for storing certificates under the Nginx installation directory (/usr/local/nginx/conf).
Zoom in to view the copy code
cd /usr/local/nginx/conf #Enter the default installation directory of Nginx. If you have modified the default installation directory, please adjust it according to the actual configuration.
mkdir cert #Create a certificate directory and name it cert.
Use the local file upload function attached to the remote login tool (such as PuTTY, Xshell) to upload the local certificate file and key file to the certificate directory of the Nginx server (/usr/local/nginx/conf/cert in the example).
Note that if you set the CSR generation method to be filled in manually when applying for a certificate, please upload the certificate key file you created manually to the /usr/local/nginx/conf/cert directory.
Edit the Nginx configuration file (nginx.conf) to modify the configuration content related to the certificate.
Execute the following command to open the configuration file.
Before using the example commands, please note: nginx.conf is saved in the /usr/local/nginx/conf directory by default. If you have modified the location of nginx.conf, please replace /usr/local/nginx/conf/nginx.conf with the modified location.
Zoom in to view the copied code
vim /usr/local/nginx/conf/nginx.conf and
press i to enter the editing mode.
Locate the HTTP protocol code snippet (http{}) in the configuration file, and add the following server configuration in the HTTP protocol code (if the server configuration already exists, modify the corresponding configuration according to the following comments).
Before using the sample code, please replace the following:
yourdomain.com: Replace with the domain name bound to the certificate.
If you purchased a single domain name certificate, you need to modify it to a single domain name (for example, www.aliyun.com); if you purchased a wildcard domain name certificate, you need to modify it to a wildcard domain name (for example, *.aliyun.com).
cert-file-name.pem: Replace with the name of the certificate file you uploaded in step 3.
cert-file-name.key: Replace with the name of the certificate key file you uploaded in step 3.
Zoom in to view the successful copy #In the
following attributes, the attributes starting with ssl indicate that they are related to the certificate configuration.
server {
listen 443 ssl;
#Configure the default access port of HTTPS to 443.
#If the default access port of HTTPS is not configured here, it may cause Nginx to fail to start.
#If you use Nginx 1.15.0 and above, please use listen 443 ssl instead of listen 443 and ssl on.
server_name yourdomain.com; #You need to replace yourdomain.com with the domain name bound to the certificate.
root html;
index index.html index.htm;
ssl_certificate cert/cert-file-name.pem; #Cert-file-name.pem needs to be replaced with the name of the uploaded certificate file.
ssl_certificate_key cert/cert-file-name.key; #You need to replace cert-file-name.key with the name of the uploaded certificate key file.
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; #Indicates
the type of cipher suite used.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #Indicates the type of TLS protocol used.
ssl_prefer_server_ciphers on;
location / {
root html; #Site directory.
index index.html index.htm;
}
}
Optional: Set the HTTP request to automatically redirect to HTTPS.
If you want all HTTP visits to automatically redirect to HTTPS pages, you can add the following rewrite statement under the HTTP site that needs to be redirected.
Before using the sample code, please pay attention to replace yourdomain.com with the domain name bound to the certificate.
Zoom in to view copy code
server {
listen 80;
server_name yourdomain.com; #You need to replace yourdomain.com with the domain name bound to the certificate.
rewrite ^ (. *) $ https://$host$1 permanent; #Redirect all HTTP requests to HTTPS through the rewrite command.
location / {
index index.html index.htm;
}
}
Warning If you are using an Alibaba Cloud ECS server, you must configure the release port 80 and 443 on the security group page of the ECS management console, otherwise the website access may be abnormal. For how to configure a security group, see Adding Security Group Rules.
After the modification is completed, press the Esc key and enter: wq! And press Enter to save the modified configuration file and exit the editing mode.
Execute the following command to restart the Nginx service.
Zoom in to view copy code
cd /usr/local/nginx/sbin #Enter the executable directory of the Nginx service.
./nginx -s reload #Reload the configuration file.