Https is also an ssl certificate. We generally think that https is secure, but the credit chain system of the SSL certificate is not secure. In particular, man-in-the-middle attacks are equally feasible in some countries where you can control CA root certificates. In addition, when the client is implanted with countless backdoors and Trojans, HTTPS connections have very limited functions.
Why I don't use it
The price for https and domain name replacement is the same.
Upyun does not support custom domain name https
Now, we can start configuring ssl. Generally, I recommend the namecheap ssl certificate because it is cheaper. After all, for most personal blogs, I just want to upgrade the green lock ~
Use OpenSSL to generate a certificate
Cd/usr/local/nginx/conf/
/Usr/local/nginx/conf # openssl genrsa-out yourdomain. pem 2048
Generating RSA private key, 2048 bit long modulus
... ++
........................................ ........................................ ................................ ++
E is 65537 (0x10001)
Generate certificate
Openssl req-new-key yourdomain. pem-out yourdomain. csr
The following prompt appears:
You are about to be asked to enter information that will be ininitialized
Into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Enter the required information as prompted.
Country Name (2 letter code) [XX]: CN
State or Province Name (full name) []: Beijing
Locality Name (eg, city) [Default City]: Beijing
Organization Name (eg, company) [Default Company Ltd]: Bigfa
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: yourdomain.com
Email Address []: admin@yourdomain.com
Please enter the following 'Extra 'attributes
To be sent with your certificate request
A challenge password []:
An optional company name []:
Run cat yourdomain. csr
----- Begin certificate request -----
MIICxDCCAawCAQAwfzELMAkGA1UEBhMCQ04xEDAOBgNVBAgMB0JlaWppbmcxEDAO
Bytes
Bytes
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC9fsxThwLzCd54s2GMUcjlleCj
LTf9bYGQyIjn + 6z7kjbdbcrkbzxmysfrnfla6u5ok7s9p0000ghk/gZeHfSLXbD/GL
Wi171tZpnQHjfLjMbHEUEUCFQD7ueek/v3/Tr + T0 + em1gQt/93K2dqv7Cx + bupwc
ZNkQmqNgqslC4sdKQZjLUIHYLr/j8lQQLOOn9/PiuNOGCTaK5g9TA20oVCjpJZuf
1en7jyuotvy4ighq4bknjhhm32cxh9mzogmhohq + pbmi0PP8E2OFTzpyZ6OcFtW
Bytes
Bytes
Yqwepkelnimu1zszdg3jytkwzvcnyhm5jwz16cdkwyeqeqkgy1xsbkkwpy24ice +
IX1sczvBY/gUq + xNArL5La7/Tow3KrJZJuFc1iVESBG0wU8zu9ZcnwbuRj0Dn8qj
FMqwwct + 0Xz2zXxiqtVCPNQXqa/YRANGnFnBBPErBnaL/j439s4TBasSiIyb7TE +
Ku9LrfecL5w8 + 05NFPcG1ArpbQJDuJIIAk1itTMLEMGqUYWD6MYcksH4FcTr70Vw
F8Ag9 + csyf5aqxqvgndcgc3zwht1_bpbldx8 + HiCiDXjaK4qAXKBRQ =
----- End certificate request -----
-
Generate a digital certificate using NameCheap
Because no domain name is available for the new certificate, make up the screenshot later.
Go to the Namecheap management page and click "Activate Now" to Activate the SSL product.
Then, a page appears that submits the certificate generated by OpenSSL to the CA (digital certificate authority). Paste the copied content into the page and select nginx.
Next, select the domain name administrator mailbox, which must be able to receive emails. Check whether the information entered during certificate generation is correct. By default, the very long one will be sent to your namecheap registration mailbox.
Then, submit the order.
After a period of time, you will receive a verification email. Click the verification address in the email and enter the verification code.
After a while, the mailbox will receive the certificate and download the compressed package of the attachment to decompress it. It seems that there are four files in it. Select yourdomain. pem. Upload the certificate to your server. Pay attention to the path. You need to load the certificate later.
Set SSL for Nginx virtual host
Ssl is the port 443. Pay attention to the certificate path.
Server
{
Listen 443;
Server_name fatesinger.com;
Ssl on;
Ssl_certificate/usr/local/nginx/conf/fatesinger_com.crt;
Ssl_certificate_key/usr/local/nginx/conf/bigfa. pem;
Index index.html index.htm index. php default.html default.htm default. php;
Root/home/wwwroot/fatesinger.com;
Access_log/home/wwwlogs/fatesinger.com. log access;
}
Full-site https redirect
If ($ server_port = 80 ){
Return 301 https: // $ server_name $ request_uri;
}
If ($ scheme = http ){
Return 301 https: // $ server_name $ request_uri;
}
Error_page 497 https: // $ server_name $ request_uri;
In the end, the ssl certificate itself does not have much money and is free of charge. If I am a new station, I will not hesitate to configure the ssl certificate, but now it is quite costly for me to configure ssl for the whole site. So I only enable https for some URLs. How can I use https only for some URLs?
In nginx configuration, you must configure two ports at the same time, one is 80 and the other is 443.
Server {
Root/var/www/
Location /{
}
Location/user {
Rewrite ^ https: // $ http_host $ request_uri? Permanent;
}
}
The url with/user will automatically jump to https
Configure port 443 in reverse mode.
Then, in your 443 server, you do the opposite.
Server {
Listen 443;
Root/var/www/
Location /{
Rewrite ^ http: // $ http_host $ request_uri? Permanent;
}
Location/user {
}
}
. Https is definitely a trend. If it is a new site that is not less than a few dozen dollars, configure one.