l;/span&g; &l;span class=\&q;string\&q;&g;https://$host$1&l;/span&g; &l;span class=\&q;string\&q;&g;permanent;&l;/span&g; &l;span class=\&q;comment\&q;&g;#将所有http请求通过rewrite重定向到https。&l;/span&g;&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g; &l;span class=\&q;string\&q;&g;location&l;/span&g; &l;span class=\&q;string\&q;&g;/&l;/span&g; &a;#123;&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;&l;span class=\&q;string\&q;&g;index&l;/span&g; &l;span class=\&q;string\&q;&g;index.html&l;/span&g; &l;span class=\&q;string\&q;&g;index.htm;&l;/span&g;&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;/tr&g;&l;/table&g;&l;/figure&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;保存文件并退出&l;/p&g;\n&l;/li&g;\n&l;/ol&g;\n&l;h2 id=\&q;客户机端\&q;&g;客户机端&l;a title=\&q;#客户机端\&q; href=\&q;#客户机端\&q;&g;&l;/a&g;&l;/h2&g;\n&l;ol&g;\n&l;li&g;\n&l;p&g;进入服务器的控制台,配置安全组设置,打开用于https的服务器&l;code&g;443&l;/code&g;端口&l;/p&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;为你的域名申请一个SSL证书,本文使用的是阿里提供的,由赛门铁克签发的免费一年证书。&l;/p&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;下载证书文件,解压后其中有两个后缀为&l;code&g;.pem&l;/code&g;和&l;code&g;.key&l;/code&g;的文件&l;/p&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;重命名为&l;code&g;ssl.pem&l;/code&g;和&l;code&g;ssl.key&l;/code&g;&l;/p&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;打开终端使用scp命令上传文件到服务器&l;/p&g;\n&l;p&g;scp语法格式&l;code&g;scp local_file remote_username@remote_ip:remote_folder &l;/code&g;&l;/p&g;\n&l;figure class=\&q;highlight sh\&q;&g;&l;table&g;&l;tr&g;&l;td class=\&q;gutter\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;1&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;2&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;3&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;4&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;5&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;td class=\&q;code\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;$ scp local_file/ssl.pem remote_username@remote_ip:/etc/nginx/cert/&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;$ scp local_file/ssl.key remote_username@remote_ip:/etc/nginx/cert/&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;&l;span class=\&q;comment\&q;&g;# local_file替换成本地文件的路径&l;/span&g;&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;&l;span class=\&q;comment\&q;&g;# remote_username替换成服务器的用户名&l;/span&g;&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;&l;span class=\&q;comment\&q;&g;# remote_ip替换成服务器的IP&l;/span&g;&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;/tr&g;&l;/table&g;&l;/figure&g;\n&l;/li&g;\n&l;/ol&g;\n&l;h2 id=\&q;服务器端-1\&q;&g;服务器端&l;a title=\&q;#服务器端-1\&q; href=\&q;#服务器端-1\&q;&g;&l;/a&g;&l;/h2&g;\n&l;ol start=\&q;6\&q;&g;\n&l;li&g;\n&l;p&g;测试配置文件是否有问题&l;/p&g;\n&l;figure class=\&q;highlight sh\&q;&g;&l;table&g;&l;tr&g;&l;td class=\&q;gutter\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;1&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;td class=\&q;code\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;$ nginx -t&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;/tr&g;&l;/table&g;&l;/figure&g;\n&l;/li&g;\n&l;/ol&g;\n&l;p&g;出现以下字样说明配置正确,如报错,根据错误修改&l;/p&g;\n &l;figure class=\&q;highlight sh\&q;&g;&l;table&g;&l;tr&g;&l;td class=\&q;gutter\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;1&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;2&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;td class=\&q;code\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;nginx: the configuration file /etc/nginx/nginx.conf syntax is ok&l;/span&g;&l;br&g;&l;span class=\&q;line\&q;&g;nginx: configuration file /etc/nginx/nginx.conf &l;span class=\&q;built_in\&q;&g;test&l;/span&g; is successful&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;/tr&g;&l;/table&g;&l;/figure&g;\n&l;ol start=\&q;7\&q;&g;\n&l;li&g;\n&l;p&g;重启Nginx&l;/p&g;\n&l;figure class=\&q;highlight sh\&q;&g;&l;table&g;&l;tr&g;&l;td class=\&q;gutter\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;1&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;td class=\&q;code\&q;&g;&l;pre&g;&l;span class=\&q;line\&q;&g;$ service nginx restart&l;/span&g;&l;br&g;&l;/pre&g;&l;/td&g;&l;/tr&g;&l;/table&g;&l;/figure&g;\n&l;/li&g;\n&l;li&g;\n&l;p&g;打开浏览器测试&l;/p&g;\n&l;/li&g;\n&l;/ol&g;\n&l;blockquote&g;\n&l;p&g;&l;strong&g;参考&l;/strong&g;&l;br&g;\n&l;a href=\&q;https://www.hack520.com/481.html\&q; target=\&q;_blank\&q;&g;《Nginx 安装 SSL 配置 HTTPS 超详细完整全过程》&l;/a&g;&l;br&g;\n&l;a href=\&q;https://help.aliyun.com/document_detail/98728.html?spm=5176.2020520154.0.0.425bCcGCCcGCDo\&q; target=\&q;_blank\&q;&g;《在Nginx/Tengine服务器上安装证书》&l;/a&g;&l;br&g;\n封面图片来源 &l;a href=\&q;https://kinsta.com/knowledgebase/how-to-install-ssl-certificate/\&q; target=\&q;_blank\&q;&g;kinsta.com&l;/a&g;&l;br&g;\n2020.03.14&l;/p&g;\n&l;/blockquote&g;\n&q;,&q;prev&q;:{&q;title&q;:&q;AdobeXD和Axure PR 9安装及汉化&q;,&q;link&q;:&q;2020/03/23/installAxure&q;},&q;next&q;:{&q;title&q;:&q;Promises第十六章&q;,&q;link&q;:&q;2020/03/14/PromisesChapter16&q;},&q;plink&q;:&q;http://wardzhou.art/2020/03/14/nginxSSL/&q;,&q;toc&q;:[{&q;id&q;:&q;服务器端&q;,&q;title&q;:&q;服务器端&q;,&q;index&q;:&q;1&q;},{&q;id&q;:&q;客户机端&q;,&q;title&q;:&q;客户机端&q;,&q;index&q;:&q;2&q;},{&q;id&q;:&q;服务器端-1&q;,&q;title&q;:&q;服务器端&q;,&q;index&q;:&q;3&q;}],&q;reward&q;:true,&q;copyright&q;:{&q;author&q;:&q;白桦 Birch&q;,&q;license&q;:&q;Attribution-NonCommercial-NoDerivatives 4.0 International(&l;a href=\&q;https://creativecommons.org/licenses/by-nc-nd/4.0/\&q; rel=\\\&q;external nofollow\\\&q; target=\\\&q;_blank\\\&q;&g;CC BY-NC-ND 4.0&l;/a&g;)&q;,&q;updated&q;:&q;December 14, 2020&q;},&q;reading_time&q;:&q;710 words in 5 min&q;}}
BirchBirch

>

122Archives15Categories71Tags

Mar 14, 2020教程710 words in 5 min

Nginx站点配置SSL

本文接上一篇CentOS下使用Nginx+Git部署hexo

服务器端

  1. 在nginx文件夹下新建一个目录用来存放证书

    1
    2
    $ cd /etc/nginx
    $ mkdir cert

  2. 打开配置文件

    1
    $ vim /etc/nginx/nginx.conf

    如果你的server节点在引用的文件中,请打开相应文件,如:

    1
    $ vim /etc/nginx/conf.d/default.conf

    不熟悉vim的基本操作话,请看文章开头的链接

  3. 在配置文件中新增一个https的 server节点

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    server {
        # 服务器端口使用443,开启ssl, 这里ssl就是上面安装的ssl模块
        listen       443 ssl;
        # 域名,多个以空格分开
        server_name  hack520.com www.hack520.com;
        
        # ssl证书地址
        ssl_certificate     /etc/nginx/cert/ssl.pem;  # pem文件的路径
        ssl_certificate_key  /etc/nginx/cert/ssl.key; # key文件的路径
        
        # ssl验证相关配置
        ssl_session_timeout  5m;    #缓存有效期
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;    #加密算法
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;    #安全链接可选的加密协议
        ssl_prefer_server_ciphers on;   #使用服务器端的首选算法

    	#location节点,如果是按照上一篇教程的设置,这部分不需修改
        location / {
            root   html;
            index  index.html index.htm;
        }

  4. 配置http重定向https

    在配置文件中找到http的server节点,注释掉原有的部分,添加以下配置

    1
    2
    3
    4
    5
    listen 80;
     server_name localhost;   #将localhost修改为您证书绑定的域名,例如:www.example.com。
    rewrite ^(.*)l;/span> https://$host$1 permanent;   #将所有http请求通过rewrite重定向到https。
     location / {
    index index.html index.htm;

  5. 保存文件并退出

客户机端

  1. 进入服务器的控制台,配置安全组设置,打开用于https的服务器443端口

  2. 为你的域名申请一个SSL证书,本文使用的是阿里提供的,由赛门铁克签发的免费一年证书。

  3. 下载证书文件,解压后其中有两个后缀为.pem.key的文件

  4. 重命名为ssl.pemssl.key

  5. 打开终端使用scp命令上传文件到服务器

    scp语法格式scp local_file remote_username@remote_ip:remote_folder 

    1
    2
    3
    4
    5
    $ scp local_file/ssl.pem remote_username@remote_ip:/etc/nginx/cert/
    $ scp local_file/ssl.key remote_username@remote_ip:/etc/nginx/cert/
    # local_file替换成本地文件的路径
    # remote_username替换成服务器的用户名
    # remote_ip替换成服务器的IP

服务器端

  1. 测试配置文件是否有问题

    1
    $ nginx -t

出现以下字样说明配置正确,如报错,根据错误修改

1
2
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

  1. 重启Nginx

    1
    $ service nginx restart

  2. 打开浏览器测试

参考
《Nginx 安装 SSL 配置 HTTPS 超详细完整全过程》
《在Nginx/Tengine服务器上安装证书》
封面图片来源 kinsta.com
2020.03.14

  • Author:

    白桦 Birch

  • Copyright:

    Attribution-NonCommercial-NoDerivatives 4.0 International(CC BY-NC-ND 4.0)

  • Updated:

    December 14, 2020

Buy me snacks 🍩.

1 服务器端
2 客户机端
3 服务器端