1. Install Nginx support SSL module
Http://nginx.org/en/docs/configure.html
Yum-y Install OpenSSH openssh-devel (http_ssl_module module dependent openssh)./Configure --sbin-path=/usr /local/nginx/nginx --conf-path=/usr/local/nginx/nginx. Conf --pid-path=/usr/local/nginx/nginx. PID --with-http_ssl_module --with-pcre=. /pcre-8.38 --with-zlib=. /zlib-1.2.8
2. Configure Nginx
Http://nginx.org/en/docs/http/configuring_https_servers.html
server { Listen 443 SSL; server_name www. Example. com; Ssl_certificate www. example.com. CRT; Ssl_certificate_key www. example.com. Key ; Ssl_protocols TLSv1 TLSv1. 1 TLSv1.2; Ssl_ciphers High:!anull:! MD5 ; ... }
3. Generate a local certificate
#!/bin/SH# Create Self-Signed Server Certificate:read-P"Enter your domain [www.example.com]:"DOMAINEcho "Create Server Key ..."OpenSSL Genrsa-des3-out $DOMAIN. Key1024x768Echo "Create server certificate signing request ..."SUBJECT="/c=us/st=mars/l=itranswarp/o=itranswarp/ou=itranswarp/cn= $DOMAIN"OpenSSL req-NEW-SUBJ $SUBJECT-key $DOMAIN. Key-Out $DOMAIN. CSREcho "Remove Password ..."MV$DOMAIN. Key $DOMAIN. Origin.keyopenssl RSA-inch$DOMAIN. Origin.key-Out $DOMAIN. KeyEcho "Sign SSL Certificate ..."OpenSSL x509-req-days3650-inch$DOMAIN. Csr-signkey $DOMAIN. Key-Out $DOMAIN. CRTEcho "TODO:"Echo "Copy $DOMAIN. CRT to/etc/nginx/ssl/$DOMAIN. CRT"Echo "Copy $DOMAIN. Key to/etc/nginx/ssl/$DOMAIN. Key"Echo "ADD configuration in Nginx:"Echo "server {"Echo " ..."Echo "listen 443 SSL;"Echo "ssl_certificate/etc/nginx/ssl/$DOMAIN. crt;"Echo "ssl_certificate_key/etc/nginx/ssl/$DOMAIN. Key;"Echo "}"
4 files are created in the current directory:
- WWW.TEST.COM.CRT: Self-signed certificate
- WWW.TEST.COM.CSR: Request for certificate
- Www.test.com.key: Key without a password
- Www.test.com.origin.key: Key with a password
The Web server needs to authenticate to the www.test.com.crt
browser, and then use www.test.com.key
the decryption browser to send the data, the remaining two files do not need to upload to the Web server.
In the case of nginx, you need to server {...}
configure:
server { ... ssl on; ssl_certificate /etc/nginx/ssl/www.test.com.crt; ssl_certificate_key /etc/nginx/ssl/www.test.com.key;}
If all goes well, open the browser and you can access the website via HTTPS. A warning appears on the first visit (because our self-signed certificate is not trusted by the browser), the certificate is imported into the system via the browser (Windows uses IE import, Mac is imported with Safari) and is set to "trusted", and the computer will be able to connect to the Web server securely after visiting the website:
Server {Listen443; server_name www. xxx.com; Index index. html index.htm index.phpdefault. htmldefault. htmdefault.PHP; Root/var/www; includeYb.conf; #error_page 404/404.html;Location ~ [^/]\.php (/|$) { #comment Try_files $uri =404; To enable PathInfoTry_files$uri=404; Fastcgi_pass Unix:/tmp/php-cgi.sock; Fastcgi_index Index.PHP; includeFastCGI.conf; #include pathinfo.conf;} Location~ .*\. (gif|jpg|jpeg|png|bmp|swf) $ {expires 30d; } Location~ .*\. (JS|CSS)?$ {Expires 12h; } Access_log/var/wwwlogs/www.xxx.com.Logaccess; SSL on; Ssl_certificate/var/www/conf/xxx_com.CRT; Ssl_certificate_key/var/www/conf/server.Key;} server {Listen80; server_name xxx. com www.xxx.com; Rewrite^ (. *) https://$server _name$1 Permanent;}
4. How the certificate is permanently valid, the first to buy commercial authorization, hundreds of knives a year, the second kind of free, short time
https://www.startssl.com/go to this website to register an account, and then verify the certificate of the domain name you want to generate
Click Next, and when you are finished, download the certificate locally,
After decompression, the. CRT is the official certificate, configure it to your nginx[based on the server you are using] on it,
If HTTPS is required for the entire station, you will need to redirect all 80 requests to port 443.
Nginx HTTPS SSL Settings trusted certificate [original]