Linux install Nginx and configure https environment Ubuntu Https apt Nginx command

Install and configure Nginx on Ubuntu 18.04

1. Install Nginx

• Nginx packages are available in the Ubuntu default software repositories. The installation is very simple, just type the following command:

# 更新软件包
sudo apt update

# 安装Nginx
sudo apt install -y nginx

• After the installation is complete, please check the Nginx service version:

sudo nginx -v

• Nginx installed

Nginx prevents garbled characters

 server{
    
    
     ...
    listen 8088 default_server;
    listen [::]:8088 default_server;
    charset utf-8;  #设置字符集为 utf-8
 }

---

Nginx configuration https environment

• https brief introduction

According to Wikipedia's explanation:

HTTPS, English: Hypertext Transfer Protocol Secure) 超文本传输安全协议,
used to provide encrypted communication and authentication of the identity of the network server

Start configuration

1. Upgrade OpenSSL

# 更新源
sudo apt-get update

# 安装openssl依赖库
sudo apt-get install openssl

# 查看安装好的openssl版本号
openssl version

Second, go to the place where the domain name was purchased or 腾讯云, 阿里云etc., to apply for the SSL certificate (applicationfreeYes, local tyrants please feel free)

3. Find a directory to store nginx certificate files (usually two)

# 在nginx配置目录里创建一个 ssl目录
mkdir  /etc/nginx/ssl
mkdir  /etc/nginx/ssl/private  #存放两个ssl证书
mkdir  /etc/nginx/ssl/certs # 存放openssl生成的dhparam.pem

Fourth, modify the Nginx configuration file

• Of course, you can also download to the Windows side to modify to avoid errors

# 使用apt命令安装的Nginx配置文件一般就在这里
vi /etc/nginx/sites-enabled/default

server {  
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    # 这里输入你证书绑定的域名 www解析和  @ 解析 中间以空格隔开
    # www.yuweb.cf
    # yuweb.cf
    server_name www.yuweb.cf yuweb.cf;

    ssl on;
    # 这里输入你证书的存放路径
    ssl_certificate /etc/ssl/private/example_com.pem;
    ssl_certificate_key /etc/ssl/private/example_com.key;
}

Five, increase security (optional)

• The above is not safe, the default is SHA-1 form, and now mainstream schemes should avoid SHA-1, in order to ensure stronger security, we can adopt Diffie-Hellman key exchange
• First, enter the /etc/nginx/ssl/certs directory and generate a dhparam.pem

cd /etc/nginx/ssl/certs

• Dhparam.pem

openssl dhparam -out dhparam.pem 2048

• The number of optional encryption bits is based on the performance of the machine. The higher the number, the safer the generation time and the longer.

• 1024

• 2048

• 4096

• After the generation is complete, add the server code block after the SSL configuration of Nginx

server {  
    listen 443 ssl;
    listen [::]:443 ssl ipv6only=on;
    # 这里输入你证书绑定的域名 www解析和  @ 解析 中间以空格隔开
    # www.yuweb.cf
    # yuweb.cf
    server_name www.yuweb.cf yuweb.cf;

    ssl on;
    # 这里输入你证书的存放路径
    ssl_certificate /etc/ssl/private/example_com.pem;
    ssl_certificate_key /etc/ssl/private/example_com.key;
    
    ssl_prefer_server_ciphers on;
    # 你的dhparam.pem文件所在位置
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4";
    keepalive_timeout 70;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    
    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.4.4 8.8.8.8 valid=300s;
    resolver_timeout 10s;
    
    add_header Strict-Transport-Security max-age=63072000;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
}

Six, add access to port 80 forwarded to port 443 configuration

• Add a server block

server {
        listen 80;
        listen [::]:80;
        # 主机名 输入你的域名
        server_name yufire.cf www.yufire.cf;
        # 转发到你的 https端口  请输入你的域名
        return 301 https://www.yufire.cf$request_uri;
}

After the configuration is complete

• Check if the configuration file is correct

nginx -t

If the following error occurs

• Probably means that
  the server name is bound repeatedly, but this warning will not affect the operation of the server

• Solution Check whether two identical listening ports with the same host name are configured

nginx: [warn] conflicting server name "localhost" on 0.0.0.0:80, ignored

• Reload the Nginx configuration file after no problem

nginx -s reload

• Whether the access in the browser is successful
  [The external link image transfer failed, the source site may have an anti-leech link mechanism, it is recommended to save the image and upload it directly (img-Krio1hfT-1588549492225)(91348C8B2ABC49D6AD90386F81DC2CBF)]

---

Nginx common commands

command	effect
service nginx start	Open Nginx service
service nginx stop	Stop Nginx service
service nginx restart	Restart Nginx service
nginx -s reload	Reload the Nginx configuration file
nginx -v	View the version number of Nginx
nginx -s stop	Stop nginx
nginx -s quit	Exit nginx
nginx -t	Check if the configuration file is correct

---