1. Apply for a free SSL certificate for cloud services
2. Download the SSL certificate from the cloud service to local decompression and upload it to the server
3. Configure the nginx.cof file under Nginx
4. Open security groups, internal and external
5. Test whether the configuration and jump are successful
1. Apply for a free SSL certificate for cloud services
1.1. Log in to the cloud platform and find the SSL certificate
Note: The blogger here is Tencent Cloud, other clouds are similar.
1.2. Apply for SSL certificate
Note: Fill in your real domain name and email here, which need to be verified. There are more options that don’t need to be filled in, just filter them.
Note: The blogger is just here to guide you on how to get a free SSL certificate. You should all be real. Just click Finish here and wait for the SSL certificate to be issued.
2. Download the SSL certificate from the cloud service to local decompression and upload it to the server
2.1. After issuance, you can download it. Select Nginx here.
2.2. After downloading, get the compressed package, decompress it locally, get four files, and upload two files to the server.
2.3. Upload two files to the server
2.4. Create a directory in /etc/nginx on the server as cert
// 默认安装在 /etc目录下
// 进入目录
cd /etc/nginx
// 创建文件
mkdir cert
// 上传
// 1.使用命令,找到目录直接上传
rz
// 2.使用 winscp 软件
// 上传文件到服务器上
Note: You can upload all the files here like the blogger, or you can only upload the marked files, there will be no impact.
3. Configure the nginx.cof file under Nginx
// 配置 nginx.conf
// 在 nginx目录下
vim nginx.conf
// 不在 nginx目录下
vim /etc/nginx/nginx.conf
3.1. Configure the following and copy it directly:
# 让http协议跳转到https协议,使用rewrite指令
server {
listen 80;
rewrite ^(.*) https://$server_name$1 permanent; #rewrite指令
}
server {
#监听443端口
listen 443 ssl;
#域名
server_name aaaaa.top; #填写你的域名;
#listen ssl on;
#ssl证书crt文件路径
ssl_certificate /etc/nginx/cert/www.aaaaaa.top_bundle.crt;
#ssl证书key文件路径
ssl_certificate_key /etc/nginx/cert/www.aaaaaa.top.key;
ssl_session_timeout 5m;
#请按照以下协议配置
ssl_protocols TLSv1.2 TLSv1.3;
#请按照以下套件配置,配置加密套件,写法遵循 openssl 标准
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
#网页放在哪个目录下,一般在nginx服务的 /var/www下
root /var/www/tools;
index index.html index.htm;
}
}
3.2. Save the configuration and test whether the nginx configuration is correct.
If it is incorrect, check again to see if there is any mismatch. If successful, restart the nginx service.
// 测试 nginx 配置命令
nginx -t
// 重启nginx 命令
service nginx restart
// 重新加载配置文件
service nginx reload3.2.1. The test is successful if it is the same as the blogger. If not, look at it again.
There will be error messages, please check patiently.
3.2.2. Reload nginx configuration
3.2.3. Restart nginx
Note: Re-editing the configuration file requires reloading the configuration file. Loading the configuration file requires nginx to be started, reloaded and then restarted.
4. Open security groups, internal and external
4.1. Open internal security group (firewall)
// 查看之前有没有开放,如果有就不用弄了
ufw status
// 开放 443 端口
ufw allow 443
// 开放之后 需要重启防火墙
ufw reload
// 然后在看一下状态
ufw status
4.2. Open external security group (firewall)
Note: If it is already open, there is no need to add it. If not, you need to add it.
5. Test whether the configuration and jump are successful
Enter your domain name in the browser and see if the jump is successful. If it is successful, then there is no problem. The default jump is HTTPS protocol. If there are other problems, check again.
