Nginx HTTPS SSL Settings trusted certificate [original]

Source: Internet
Author: User
Tags openssl x509 ssl certificate

1. Install Nginx support SSL module

Http://nginx.org/en/docs/configure.html

Yum-y Install OpenSSH openssh-devel (http_ssl_module module dependent openssh)./Configure    --sbin-path=/usr /local/nginx/nginx    --conf-path=/usr/local/nginx/nginx.  Conf    --pid-path=/usr/local/nginx/nginx. PID     --with-http_ssl_module    --with-pcre=. /pcre-8.38    --with-zlib=. /zlib-1.2.8

2. Configure Nginx

Http://nginx.org/en/docs/http/configuring_https_servers.html

server {    Listen              443 SSL;    server_name         www. Example. com;    Ssl_certificate     www. example.com. CRT;    Ssl_certificate_key www. example.com. Key ;    Ssl_protocols       TLSv1 TLSv1. 1 TLSv1.2;    Ssl_ciphers         High:!anull:! MD5 ;     ... }

3. Generate a local certificate

#!/bin/SH# Create Self-Signed Server Certificate:read-P"Enter your domain [www.example.com]:"DOMAINEcho "Create Server Key ..."OpenSSL Genrsa-des3-out $DOMAIN. Key1024x768Echo "Create server certificate signing request ..."SUBJECT="/c=us/st=mars/l=itranswarp/o=itranswarp/ou=itranswarp/cn= $DOMAIN"OpenSSL req-NEW-SUBJ $SUBJECT-key $DOMAIN. Key-Out $DOMAIN. CSREcho "Remove Password ..."MV$DOMAIN. Key $DOMAIN. Origin.keyopenssl RSA-inch$DOMAIN. Origin.key-Out $DOMAIN. KeyEcho "Sign SSL Certificate ..."OpenSSL x509-req-days3650-inch$DOMAIN. Csr-signkey $DOMAIN. Key-Out $DOMAIN. CRTEcho "TODO:"Echo "Copy $DOMAIN. CRT to/etc/nginx/ssl/$DOMAIN. CRT"Echo "Copy $DOMAIN. Key to/etc/nginx/ssl/$DOMAIN. Key"Echo "ADD configuration in Nginx:"Echo "server {"Echo "    ..."Echo "listen 443 SSL;"Echo "ssl_certificate/etc/nginx/ssl/$DOMAIN. crt;"Echo "ssl_certificate_key/etc/nginx/ssl/$DOMAIN. Key;"Echo "}"

4 files are created in the current directory:

    • WWW.TEST.COM.CRT: Self-signed certificate
    • WWW.TEST.COM.CSR: Request for certificate
    • Www.test.com.key: Key without a password
    • Www.test.com.origin.key: Key with a password

The Web server needs to authenticate to the www.test.com.crt browser, and then use www.test.com.key the decryption browser to send the data, the remaining two files do not need to upload to the Web server.

In the case of nginx, you need to server {...} configure:

server {    ...    ssl on;    ssl_certificate     /etc/nginx/ssl/www.test.com.crt;    ssl_certificate_key /etc/nginx/ssl/www.test.com.key;}

If all goes well, open the browser and you can access the website via HTTPS. A warning appears on the first visit (because our self-signed certificate is not trusted by the browser), the certificate is imported into the system via the browser (Windows uses IE import, Mac is imported with Safari) and is set to "trusted", and the computer will be able to connect to the Web server securely after visiting the website:

Server {Listen443; server_name www. xxx.com; Index index. html index.htm index.phpdefault. htmldefault. htmdefault.PHP; Root/var/www; includeYb.conf; #error_page 404/404.html;Location ~ [^/]\.php (/|$) {        #comment Try_files $uri =404; To enable PathInfoTry_files$uri=404; Fastcgi_pass Unix:/tmp/php-cgi.sock; Fastcgi_index Index.PHP; includeFastCGI.conf; #include pathinfo.conf;} Location~ .*\. (gif|jpg|jpeg|png|bmp|swf) $ {expires 30d; } Location~ .*\. (JS|CSS)?$ {Expires 12h; } Access_log/var/wwwlogs/www.xxx.com.Logaccess;     SSL on; Ssl_certificate/var/www/conf/xxx_com.CRT; Ssl_certificate_key/var/www/conf/server.Key;} server {Listen80; server_name xxx. com www.xxx.com; Rewrite^ (. *) https://$server _name$1 Permanent;}

4. How the certificate is permanently valid, the first to buy commercial authorization, hundreds of knives a year, the second kind of free, short time

https://www.startssl.com/go to this website to register an account, and then verify the certificate of the domain name you want to generate

Click Next, and when you are finished, download the certificate locally,

After decompression, the. CRT is the official certificate, configure it to your nginx[based on the server you are using] on it,

If HTTPS is required for the entire station, you will need to redirect all 80 requests to port 443.

Nginx HTTPS SSL Settings trusted certificate [original]

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.