How to configure Nginx server https

Apply for a certificate

At present, many organizations on the Internet provide personal free ssl certificates, which are valid for several months to several years. Take startssl: https://www.startssl.com as an example. After successful application, it is valid for 3 years, and the lease can be renewed free of charge after expiration.

The specific application process is also very simple.

Select certificates wizard > > dv ssl certificate to apply for a free SSL certificate after registering and logging in.

After verifying the domain name by email, then generate the csr of ssl certificate in your own server, remember the secret of generating the input, and then use:

openssl req -newkey rsa:2048 -keyout  weizhimiao.cn.key -out  weizhimiao.cn.csr

Put the generated certificate into the specified directory for storing the certificate, such as /data/secret/. Check the contents of certificate weizhimiao.csr, copy the contents to the certificate signing request (csr) section of the page, and submit the page.

Download the generated certificate and select the corresponding web server (nginx, 1_weizhimiao.cn_bundle.crt), so that we have both the private key and the public key.

1_weizhimiao.cn_bundle.crt (public key)

Weizhimiao.cn.key (private key)

Nginx configuration (adding https for the specified domain name)

Nginx.conf current configuration

...http { ... include /etc/nginx/conf.d/*.conf; server { ... }}

. /conf.d/weizhimiao.cn.conf add

server{ listen 443 ssl;  server_name  weizhimiao.cn ;  ssl_certificate /data/secret/1_weizhimiao.cn_bundle.crt;  ssl_certificate_key /data/secret/weizhimiao.cn.key;  ssl_prefer_server_ciphers on;  ssl_protocols tlsv1 tlsv1.1 tlsv1.2;  ssl_ciphers 'keecdh+ecdsa+aes128 keecdh+ecdsa+aes256 keecdh+aes128 keecdh+aes256 kedh+aes128 kedh+aes256 des-cbc3-sha +sha ! anull ! enull ! low ! md5 ! exp ! dss ! psk ! srp ! kecdh ! camellia ! rc4 ! seed';  add_header strict-transport-security 'max-age=31536000;  preload';  add_header x-frame-options deny;  ssl_session_cache shared:ssl:10m;  ssl_session_timeout 10m;  keepalive_timeout 70;  ssl_dhparam /data/secret/dhparam.pem;  add_header x-content-type-options nosniff;  add_header x-xss-protection 1;  root /data/www/weizhimiao.cn;  index  index.html ; location / { }}

Note:

A /data/secret/dhparam.pem file is used in the configuration, which is a key file in pem format and used in tls sessions. Used to strengthen the security of ssl. The method for generate that file,

cd /data/secret/openssl dhparam 2048 -out dhparam.pem

Redirect the original access to port 80. . /conf.d/weizhimiao.cn.conf add

server{ listen 80;  server_name  weizhimiao.cn ;  return 301 https://weizhimiao.cn$request_uri; }

test

To detect whether there is a syntax error in the configuration file, you need to enter the password entered when generating the public key before.

nginx -tenter pem pass phrase:nginx: the configuration file /etc/nginx/nginx.conf syntax is oknginx: configuration file /etc/nginx/nginx.conf test is successful

Restart nginx (remember, reload doesn't work)

nginx -s stopenter pem pass phrase:nginxenter pem pass phrase:

Is it effective for the browser to visit weizhimiao.cn?

In addition, after nginx has configured a security certificate, nginx needs to enter a password for every reload, stop and other operations.

You can replace the original key file by generating a decrypted key file.

cd /data/secret/openssl rsa -in  weizhimiao.cn.key -out weizhimiao.cn.key.unsecure

Replace the weizhimiao.cn.key file in weizhimiao.cn.conf 。

server { ... ssl_certificate /data/secret/1_weizhimiao.cn_bundle.crt;  ssl_certificate_key /data/secret/weizhimiao.cn.key.unsecure; ...}

After that, every time you reload, you don't need to enter a password.

Finally, use ssllabs to test it.

result