https nginx configuration is required CA that issued the certificate, in order to facilitate testing, we can use a self-signed certificate
1. How to generate a self-signed certificate 1.1: We need to prepare for the private and public services and client:
//生成服务器端私钥
openssl genrsa -out server.key 1024 //生成服务器端公钥 openssl rsa -in server.key -pubout -out server.pem 1.2: Generating CA Certificate
// 生成 CA 私钥
openssl genrsa -out ca.key 1024 openssl req -new -key ca.key -out ca.csr Note: The implementation of the above command will need to fill out the following items, you can skip directly enter, but the Common Name that a proposal to fill in your domain name, if it is local, you can write localhost
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:这个是你的域名 Email Address []: Generated CA certificate
openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
1.3: Generate a Server Certificate
//服务器端需要向 CA 机构申请签名证书,在申请签名证书之前依然是创建自己的 CSR 文件
openssl req -new -key server.key -out server.csr //向自己的 CA 机构申请证书,签名过程需要 CA 的证书和私钥参与,最终颁发一个带有 CA 签名的证书 openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt 1.4: Generating cer file
//使用openssl 进行转换
openssl x509 -in server.crt -out server.cer -outform der 2. Configure nginx after we get the CA-signed certificate, the certificate required in nginx configuration. First, we will server.crt and server.key copy of the configuration file to the directory where the nginx Next, add the following configuration nginx configuration:
server {
listen 443 ssl;
server_name 你的域名;
charset utf-8; ssl on; ssl_certificate server.crt; ssl_certificate_key server.key; location / { root html; index index.html index.htm; } } Currently we just did a test page https welcome, so use the default location. The need to expand their own small partners can modify the configuration. Finally, restart nginx, visit https: // your domain name , you can appear welcome page.
Note: In many cases, access to a Web site when not bother to add https at the beginning, but direct access to enter the domain name, but this is the default browser http requests, how to allow users to directly enter the domain name is https request access to it? Method 1: http redirect the request to all https
server {
charset utf-8;
listen 80;
server_name 你的域名;
rewrite ^(.*) https://$host$1 permanent;
}
Method 2: When the site only allows access to https, http status code 497 will be reported accessed by using error_page way redirected to https
server {
listen 443 ssl;
listen 80;
server_name localhost;
charset utf-8;
ssl on;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location / {
root html;
index index.html index.htm;
}
error_page 497 https://$host$uri?$args;
}
Method 3: Using the browser First, build a html text, named https.html
<html>
<meta http-equiv="refresh" content="0;url=https://你的域名/"> </html> Secondly, and then configure the monitor server 80 port access to the html:
server {
charset utf-8;
listen 80;
server_name 你的域名;
location / {
root html;
index https.html;
}
error_page 404 https://你的域名/;
}
More effective pro-test mode, the junior partner may be used in accordance with the actual situation.