Install and configure Nginx on Ubuntu 18.04
1. Install Nginx
- Nginx packages are available in the Ubuntu default software repositories. The installation is very simple, just type the following command:
# 更新软件包
sudo apt update
# 安装Nginx
sudo apt install -y nginx
- After the installation is complete, please check the Nginx service version:
sudo nginx -v
- Nginx installed
Nginx prevents garbled characters
server{
...
listen 8088 default_server;
listen [::]:8088 default_server;
charset utf-8; #设置字符集为 utf-8
}
Nginx configuration https environment
- https brief introduction
According to Wikipedia's explanation:
HTTPS, English: Hypertext Transfer Protocol Secure) 超文本传输安全协议
,
used to provide encrypted communication and authentication of the identity of the network server
Start configuration
1. Upgrade OpenSSL
# 更新源
sudo apt-get update
# 安装openssl依赖库
sudo apt-get install openssl
# 查看安装好的openssl版本号
openssl version
Second, go to the place where the domain name was purchased or 腾讯云
, 阿里云
etc., to apply for the SSL certificate (applicationfreeYes, local tyrants please feel free)
3. Find a directory to store nginx certificate files (usually two)
# 在nginx配置目录里创建一个 ssl目录
mkdir /etc/nginx/ssl
mkdir /etc/nginx/ssl/private #存放两个ssl证书
mkdir /etc/nginx/ssl/certs # 存放openssl生成的dhparam.pem
Fourth, modify the Nginx configuration file
- Of course, you can also download to the Windows side to modify to avoid errors
# 使用apt命令安装的Nginx配置文件一般就在这里
vi /etc/nginx/sites-enabled/default
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
# 这里输入你证书绑定的域名 www解析和 @ 解析 中间以空格隔开
# www.yuweb.cf
# yuweb.cf
server_name www.yuweb.cf yuweb.cf;
ssl on;
# 这里输入你证书的存放路径
ssl_certificate /etc/ssl/private/example_com.pem;
ssl_certificate_key /etc/ssl/private/example_com.key;
}
Five, increase security (optional)
- The above is not safe, the default is SHA-1 form, and now mainstream schemes should avoid SHA-1, in order to ensure stronger security, we can adopt Diffie-Hellman key exchange
- First, enter the /etc/nginx/ssl/certs directory and generate a dhparam.pem
cd /etc/nginx/ssl/certs
- Dhparam.pem
openssl dhparam -out dhparam.pem 2048
-
The number of optional encryption bits is based on the performance of the machine. The higher the number, the safer the generation time and the longer.
-
1024
-
2048
-
4096
-
After the generation is complete, add the server code block after the SSL configuration of Nginx
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
# 这里输入你证书绑定的域名 www解析和 @ 解析 中间以空格隔开
# www.yuweb.cf
# yuweb.cf
server_name www.yuweb.cf yuweb.cf;
ssl on;
# 这里输入你证书的存放路径
ssl_certificate /etc/ssl/private/example_com.pem;
ssl_certificate_key /etc/ssl/private/example_com.key;
ssl_prefer_server_ciphers on;
# 你的dhparam.pem文件所在位置
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
keepalive_timeout 70;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 10s;
add_header Strict-Transport-Security max-age=63072000;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}
Six, add access to port 80 forwarded to port 443 configuration
- Add a server block
server {
listen 80;
listen [::]:80;
# 主机名 输入你的域名
server_name yufire.cf www.yufire.cf;
# 转发到你的 https端口 请输入你的域名
return 301 https://www.yufire.cf$request_uri;
}
After the configuration is complete
- Check if the configuration file is correct
nginx -t
If the following error occurs
- Probably means that
the server name is bound repeatedly, but this warning will not affect the operation of the server
- Solution Check whether two identical listening ports with the same host name are configured
nginx: [warn] conflicting server name "localhost" on 0.0.0.0:80, ignored
- Reload the Nginx configuration file after no problem
nginx -s reload
- Whether the access in the browser is successful
[The external link image transfer failed, the source site may have an anti-leech link mechanism, it is recommended to save the image and upload it directly (img-Krio1hfT-1588549492225)(91348C8B2ABC49D6AD90386F81DC2CBF)]
Nginx common commands
command | effect |
---|---|
service nginx start | Open Nginx service |
service nginx stop | Stop Nginx service |
service nginx restart | Restart Nginx service |
nginx -s reload | Reload the Nginx configuration file |
nginx -v | View the version number of Nginx |
nginx -s stop | Stop nginx |
nginx -s quit | Exit nginx |
nginx -t | Check if the configuration file is correct |