Nginx certificate deployment
Get a certificate
Obtain the SSL certificate file 1_www.domain.com_bundle.crt and the private key file 2_www.domain.com.key, 1_www.domain.com_bundle.crt in the Nginx folder.
The file includes two pieces of certificate code "-----BEGIN CERTIFICATE-- ---" and "-----END CERTIFICATE-----",
2_www.domain.com.key file includes a private key code "-----BEGIN RSA PRIVATE KEY-----" and "-----END RSA PRIVATE KEY-----".
Certificate installation
Save the certificate file 1_www.domain.com_bundle.crt and the private key file 2_www.domain.com.key of the domain name www.domain.com to the same directory, for example, /usr/local/nginx/conf.
Update the conf/nginx.conf file in the Nginx root directory as follows:
server {
listen 443;
server_name www.domain.com; #填写绑定证书的域名
ssl on;
ssl_certificate 1_www.domain.com_bundle.crt;
ssl_certificate_key 2_www.domain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;
location / {
root html; #站点目录
index index.html index.htm;
}
}
After the configuration is completed, first use it bin/nginx –t
to test whether the configuration is correct. If it is correct, restart nginx. can be https://www.domain.com
used to access.
Note:
Configuration file parameter descriptionlisten 443 | SSL access port number is 443 |
ssl on | Enable SSL function |
ssl_certificate | certificate file |
ssl_certificate_key | private key file |
ssl_protocols | protocol used |
ssl_ciphers | Configure the cipher suite, written in accordance with the openssl standard |
Use full-site encryption, http automatically jump to https (optional)
If the user does not know that the website can be accessed by https, let the server automatically redirect the http request to https.
If you configure it on the server side, you can add js scripts to the page, you can also write redirection in the back-end program, and of course you can also use the web server to realize the jump. Nginx supports rewrite (as long as pcre is not removed when compiling)
, adding it to the http server rewrite ^(.*) https://$host$1 permanent;
can realize 80 incoming requests and redirect them to https.