1, Nginx configuration SSL Module
The default Nginx is no SSL module, and my VPS defaults to Nginx 0.7.63, incidentally Nginx upgrade to 0.7.64 and configure the SSL module method as follows:
Download Nginx 0.7.64 version, decompression into the decompression directory:
Copy Code code as follows:
wget http://sysoev.ru/nginx/nginx-0.7.64.tar.gz
Tar zxvf nginx-0.7.64.tar.gz
CD nginx-0.7.64
If you want to change header information,
Copy Code code as follows:
VI src/core/nginx.h
#define Nginx_version "0.7.62"
#define Nginx_ver "nginx/" nginx_version
The above version number and Nginx themselves modified
Compile
[Code]
./configure--user=www--group=www--prefix=/usr/local/nginx--with-http_stub_status_module--with-http_ssl_module
Make
Make
Remember not to make install
Because it is a small site, do not need to smooth upgrade, direct Killall-hup nginx restart Nginx can be.
OK, upgrade and install the SSL module finished, here I changed the Nginx to Zoulu, thus:
What's up, you have a personality!
2. Use OpenSSL to generate certificates
Method of ① and generating RSA key
OpenSSL genrsa-out Privkey.pem 2048
Some of the certificates to 1024, so have to:
OpenSSL genrsa-out Privkey.pem 1024
②, generating a certificate request
OpenSSL Req-new-key privkey.pem-out CERT.CSR
Will be prompted to enter provinces, cities, domain name information and so on, it is important that email must be your domain name suffix, such as webmaster@zou.lu and can accept mail!
So there's a CSR file, which is the CSR file when you submit it to the SSL provider.
(Source: http://www.lsproc.com/blog/nginx_ssl_config/)
Direct Cat CERT.CSR
Get a large string of characters, such as this:
-----BEGIN Certificate REQUEST-----
Miibstccarocaqawctelmakga1uebhmcq04xczajbgnvbagtakhcmqwwcgydvqqh
Ewntsloxdzanbgnvbaotbkzhbmzvdtesmbaga1ueaxmjzzfuzm91lmrlmsiwiayj
Kozihvcnaqkbfhn3zwjtyxn0zxjazmfuzm91lmrlmigfma0gcsqgsib3dqebaqua
a4gnadcbiqkbgqc5l4pmzg6tcipduefxq5gslxn1jeqdbmus+peapehmnoxe+r4k
vkqujzlj5o3ltqgjzyrcifru8nryqsxat/5ijefws7nimsx8kpkqq71bjazsizj+
Cdldrjj1m/srjtsnrfyj4rffs1fxq7uedyreux7fyaljx70jpssgbogwrqidaqab
Oaawdqyjkozihvcnaqefbqadgyeackcbqcncq5ye3gfyn3nyxcqevnspkiv9aqi4
Fcwqyhpzwkupp3wfubhy80iwtfjlgltsynze7fzlvpcbnfklnaylyewdy7nukjny
Pcbyqpjjxdal3jcun0nlltsxtqpr+abo8va/bao5hp9h1rpsrttdsjd2fc/owrv1
Bfrujna=
-----End Certificate REQUEST-----
Submit to your SSL provider, generally half an hour to a day time will be issued to you the certificate, as shown:
Upload all the files to a specific directory, like I was uploading to/root/zoulu/.
Here, Zoulukey.pem and ZOULUCERT.CSR are generated by themselves on the VPS, and the rest are issued by the certificate issuing authority.
Under normal circumstances, directly with the certification authority issued by the CRT file can, such as ZOU_LU.CRT, but there are many certification authorities default in the Firefox Chinese version is not trusted, after careful study, finally found that the certificate issued by the agency to your CRT file also into the line.
The method is as follows:
Merging POSITIVESSLCA.CRT (CRT of certificate issuing authority) and ZOU_LU.CRT (Crt of own domain name)
Cat Zou_lu.crt >> POSITIVESSLCA.CRT
MV Positivesslca.crt ZOU_LU.CRT
Or you can open it directly with Notepad, and then copy all the contents of the POSITIVESSLCA.CRT to the bottom of the zou_lu.crt.
(Source: http://www.lsproc.com/blog/nginx_ssl_config/)
③, modifying Nginx configuration
Listen 443;
server_name zou.lu;
Index index.html index.htm index.php;
Root/home/zoulu;
Error_page 404 403 http://zou.lu;
SSL on;
SSL_CERTIFICATE/ROOT/ZOULU/ZOU_LU.CRT;
SSL_CERTIFICATE_KEY/ROOT/ZOULU/ZOULUKEY.PEM;
The other configuration information is the same as the general site and is not repeated.
Iv. access to test results
In the English version of Firefox/chrome/opera/safari/ie 6, 7, 8 are no problem, https://zou.lu/in the Firefox 3.5.7 Chinese version of the problem, the children's shoes, check your system time, if you do not trust, I am not very clear, I am sorry, limited ability.
V. How to obtain a free certificate
Https://zou.lu/'s certificate was issued by POSITIVESSL, a Comodo reseller, which can now be obtained through the following means:
Go to namecheap.com Register, transfer a domain name or buy a space to be able to obtain, and be free for a year of Oh!
It should be noted that the certificate issued after the registration of NAMECHEAP does not have the certification authority POSITIVESSLCA.CRT, here I put one, in order to facilitate the installation:
-----BEGIN Certificate-----
Miifazcca+ugawibagiqtm1kmltfeygmz5aviytrctanbgkqhkig9w0baqufadcb
Lzelmakga1uebhmcvvmxczajbgnvbagtalvumrcwfqydvqqhew5tywx0iexha2ug
Q2l0eteembwga1uechmvvghlifvtrvjuulvtvcbozxr3b3jrmsewhwydvqqlexho
Dhrwoi8vd3d3lnvzzxj0cnvzdc5jb20xhzadbgnvbamtflvuti1vu0vsrmlyc3qt
Sgfyzhdhcmuwhhcnmdywote4mdawmdawwhcnmjawntmwmta0odm4wjbxmqswcqyd
Vqqgewjhqjebmbkga1uecbmsr3jlyxrlcibnyw5jagvzdgvymrawdgydvqqhewdt
ywxmb3jkmrowgaydvqqkexfdb21vzg8gq0egtgltaxrlzdexmbuga1ueaxmoug9z
Axrpdmvtu0wgq0ewggeima0gcsqgsib3dqebaquaa4ibdwawggekaoibaqc9t3ly
Ippjkd5seqavwkkgitctvr4q57h/4oyqpoxe6esswjzudfmxukgefzfv78luacay
Rymm3ydmpbohezekivx5g3mrjbvcvvc0lzih2tib6ha1y7ewwvp5peba8c4kugke
Jotek1qwoopq6yj7kcpnmpxit4o2h65pxci12f2+p9gnncysew3aacezcpopabuw
pbdf6wkahd9u7/zjlbthxrhm9/lx9uljah4sdt6nfqdkoj32cuh5jayifverip9w
xgkxwfqcbwi0kyhimpfqhaysexjbnmbhqhslewln8qntul2piddi2l8dm53x5gv+
Wmpsqo0hgoqodvmdagmbaagjggfumiibajafbgnvhsmegdawgbshcl8mgyiyq5vd
bzfvhzads9ldrtadbgnvhq4efgquumor6qyxedvdlmbogsq8uzuwmaqwdgydvr0p
Aqh/baqdagegmbiga1udeweb/wqimaybaf8caqewewydvr0fbhqwcja4odagniyy
ahr0cdovl2nybc5jb21vzg9jys5jb20vvvrolvvtrvjgaxjzdc1iyxjkd2fyzs5j
Cmwwnqa0odkgmgh0dha6ly9jcmwuy29tb2rvlm5ldc9vve4tvvnfukzpcnn0luhh
cmr3yxjllmnybdcbhgyikwybbquhaqeeejb4mdsgccsgaqufbzachi9odhrwoi8v
Y3j0lmnvbw9kb2nhlmnvbs9vve5bzgrucnvzdfnlcnzlcknblmnydda5bggrbgef
Bqcwaoytahr0cdovl2nydc5jb21vzg8ubmv0l1vutkfkzfrydxn0u2vydmvyq0eu
Y3j0ma0gcsqgsib3dqebbquaa4ibaqadtof5gehd7fpawx3jt++gfclse0kwdtgm
Mvzn2odkjq8sfqralziaoz4hzaoxw5v+qbz9fgkggm2smexq8raeisy9wygn6oj5
Qz2qpmuz8ozfifmvbrflqnkfp05jfdbdx4/oil9lbeauttf37r0qhujop2ot2muz
Jgfibfzkhwadtjjnn0ijf9dfqwp2bnstuy9u3mi+6vhyntjzf/tqkvcl/w8nijyu
Zg5g8t6p2jt9hpos/pqykw+rar+lqi/jjjkfxbkqdlnioeesdjblu30fko5wpa8y
Z0nf1r7cqjgrteedguwurmlvygpui3tbmfymyb95hlcptqnjuhvi
-----End Certificate-----
You can also try Startssl certificate, the disadvantage is that in the old computer, there is no update, IE 6 is absolutely not trust him, see: http://blog.s135.com/startssl/
Finally, it is stated that a trusted SSL certificate must have a separate IP, or that an IP can only correspond to a domain name certificate, a favorite friend can play a game.
