Preface
-
In daily development, when we access projects on the public network, we usually use a secure connection, starting with https:// (very few http://)
-
When we configure the domain name server ourselves, http is indeed forwarded through Nginx. This is because we have not configured a certificate.
-
The browser will notice that our transmission is not encrypted according to the standard, so it will determine that our connection is not secure, but it will not affect the use.
-
In fact, when the domain name is our own, there is a corresponding free SSL certificate application, but we did not apply for it ourselves.
Conditions and conditions
-
My domain name was purchased by Alibaba Cloud (domain name resolution), and the server is Tencent Cloud (lightweight cloud server)
-
And the server and domain name have been registered and can be accessed normally. The server is a Windows image
-
Come to Alibaba Cloud to apply for the SSL certificate of the domain name. The SSL certificate of the domain name is one-to-one correspondence (second-level domain names also need to be applied for)
-
Be sure to go to the server and check whether the https-443 port is open - usually it is open by default.
Implementation process
1. First we open Alibaba Cloud - log in to purchase domain name account - click on console search - digital certificate management service
2. Click on the free certificate - you need to click to create a virtual certificate for the first time (there are 20 free ones)
3. Click Create Certificate again - a line will appear below - click Certificate Application on the right - fill in the corresponding information - submit for review - usually it will take about 10 minutes to pass and you will be notified by SMS and email.
4. Download the Nginx mode ssl certificate - view the usage documentation (after passing the review - a download button will appear on the right)
5. Go to the server nginx-html file - create an ssl file to store the certificate
6. Modify the nginx-conf-nginx.conf configuration file
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
# 这个server负责默认转发到https,配置证书之后,只是http和https都可以访问,但是默认还是http访问
# 这一段是默认https访问-官方文档有讲
server {
listen 80;
#填写证书绑定的域名
server_name 你的域名;
#将所有HTTP请求通过rewrite指令重定向到HTTPS。
rewrite ^(.*)$ https://$host$1;
location / {
index index.html index.htm;
}
}
server {
#listen 80;
#定义服务器的默认网站根目录位置
server_name 你的域名;
# 开启ssl证书-这种写法淘汰-会报错
#ssl on;
# 开启https端口-默认
listen 443 ssl;
# 证书凭证-./相对路径
ssl_certificate ./html/SSL/FW/你的域名.pem;
ssl_certificate_key ./html/SSL/FW/你的域名.key;
# 系统配置-可要可不要
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
#表示优先使用服务端加密套件。默认开启
ssl_prefer_server_ciphers on;
location / {
root html/fw/dist;
index index.html index.htm;
try_files $uri $uri/ /index.html; #解决页面刷新404问题
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}7. Use the nginx restart command to update the configuration
nginx -s reload
8. The default entry is https - secure connection - and no error is reported - indicating that the configuration is successful.
detail
-
After downloading the SSL certificate and placing it on the server, try not to change the name (www./without www. will not affect it)
-
When introducing the certificate, use (./) - relative name, be sure to check the path - to prevent errors
Error report collection
1. Enable the ssl command to discard the error - the ssl directive is deprecated
Solution - change the command
# 开启ssl证书-这种写法淘汰-会报错
# ssl on;
# 开启https端口-默认-改用下面写法
listen 443 ssl;2. Introduce ssl certificate path and report error -cannot load certificate
solution
Check the path - it is recommended to use ./ path
3. When it is found that the ssl certificate is configured - no error is reported and the startup is successful. When the access is still http, it is because the server layer is not configured - note
Summarize:
After going through this process, I believe you will also have an initial deep impression on the details of the Nginx configuration SSL certificate and encryption into https process (the SSL directive is deprecated-cannot load certificate), but in actual development, the situation we encountered must be It’s different, so we have to understand its principles and never deviate from its origins. Come on, hit the workers!
Please point out any shortcomings, thank you - Feng Guo Wuhen