1. Generate a self-signed ssl certificate
mkdir / ssl
Create a folder to put ssl certificate
OpenSSL genrsa-des3--out domain.key 1024
# Generate the RSA key (process need to set a password to remember this password) 
OpenSSL rsa -IN ylc520.key -out ylc520_nopass.key
# a copy of the key file is not required to enter a password 
OpenSSL REQ -new -key domain.key -out domain.csr
# generate a certificate request
here will be prompted to enter the country, regional organization, email and other information. the most important one is the "common name "I must be the same domain.
Password before #: Enter pass phrase for domain.key
Country Name (2 letter code) [ XX]: CN # State
State or Province Name (full name) []: Jilin # regions or provinces
Locality Name (eg, city) [ Default City]: Changchun # regional local name
Organization Name ( eg, company) [Default Company Ltd ]: Python # name of
organizational unit name (eg, section) []: Python # organizational unit name
Common name (eg, your name or your server's hostname) []: ylc520.f3322.net # domain
Email Address []: [email protected] # E-mail
a challenge password []: # private key protection password, you can directly enter
An optional company name []: # An optional company name, you can directly enter
input these will generate a complete file ylc520.csr, when submitted to the ssl csr file provider is this course here does not apply to any certificate provider, but the issue of the certificate itself.
X509 -req -days 365 -IN OpenSSL ylc520.csr -signkey ylc520.key -out ylc520.crt
# use the above key and CSR to sign the certificate
2. Modify code nginx
{Server
the listen 80;
the listen 443 ssl;
# add a listening port to use ssl
server_name ylc520.f3322.net;
# your domain name
root / usr / share / nginx / html;
include /etc/nginx/default.d/*.conf;
ssl_certificate /ssl/ylc520.crt;
ssl_certificate_key /ssl/ylc520_nopass.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
# 协议优化(可选,优化https协议,增强安全性)
if ($server_port = 80) {
rewrite ^(.*)$ https://$host$1 permanent;
}
# url重新,以80端口访问进来的转到https 访问3. Access
Knock on the domain name, it is automatically positioned to visit https