How to configure ssl in nginx

The editor in this article will introduce in detail how to configure ssl in nginx. The content is detailed, the steps are clear, and the details are handled properly. Get up and learn something new.

One-way SSL configuration example:

server{ listen 443 ssl; server_name www.123.com; root /data/wwwroot/www.123.com/ ; index index.html; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; location / { } }

Configuration instructions:

1. Port 443 is the ssl listening port. 2. ssl on means to enable ssl support. 3. ssl_certificate specifies the path where the crt file is located. If you write a relative path, you must put the file and the nginx.conf file in the same directory. 4. ssl_certificate_key specifies the path where the key file is located. 5. ssl_protocols specifies the SSL protocol. 6. ssl_ciphers configures the ssl encryption algorithm. Multiple algorithms are separated by :, ALL means all algorithms, ! means that the algorithm is not enabled, and + means that the algorithm is ranked last. 7. If ssl_prefer_server_ciphers is not specified, it is off by default. When it is on, the server encryption algorithm will be better than the client encryption algorithm when using SSLv3 and TLS protocols.

Note:

When nginx is installed in source code, the ssl module is not enabled by default and needs to be recompiled Installation, the installation command is as follows:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

make && make install

and restart nginx

Two-line SSL configuration example

server{ listen 443 ssl; server_name www.123.com; root /data/wwwroot/www.123.com/ ; index index.html; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; ssl_client_certificate ca.crt; // Here ca.crt is the root certificate public key file ssl_verify_client on; location / { } }

Explanation:

It is two bold lines more than unidirectional, but it is configured After two-way, the server also needs to authenticate the client's certificate. Generally, we use one-way SSL more commonly.

Note:

Because our certificate is issued by a self-built CA The browser does not trust the certificate, so it will prompt that the certificate is not trusted when accessing.

In this case, you only need to import the CA's root certificate into the browser's Trusted Root Certification Authorities, and you will no longer be prompted that the certificate is not trusted.

Export certificates available for windows are as follows:

[root@localhost root_ca]# openssl pkcs12 -export -inkey private/ca.key -in

Copy the exported certificate to windows, double-click to install it, and follow the wizard to import it to the trusted root certification authority.

After reading this, this article on how to configure ssl in nginx has been introduced. If you want to master the knowledge points of this article, you need to practice it yourself before you can understand it. If you want to know more about it Articles, welcome to pay attention to Yisu cloud industry information channel.