Shulou(Shulou.com)06/01 Report--

This article mainly introduces the free SSL certificate startssl how to apply and install, has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, the following let Xiaobian take you to understand.

First visit StartSSL.com and click Sign-up to register

Apply for a certificate

Enter a domain name per line

You can only enter five elements (five domain names)

So how do you generate CSR? Here is a demonstration of the use of StartCom's little green tool. First of all, click StartComTool.exe on this page to download it locally and run the program:

After that, we click Submit to submit the application.

If nothing happens, our certificate file will be generated immediately:

download

After collation, the following files will be found in the folder:

App.williamyao.com.csr (signature file)

App.williamyao.com.key (key file)

App.williamyao.com.zip (downloaded certificate file package)

INTRO (text file, which records the generation date of the above three files, the expiration date of the certificate file, etc.)

Nginx aspect

Make an assumption before configuring that Nginx saves the configuration file as a virtual host, that is, each virtual host has its own .conf file, which is much better than throwing everything into nginx.conf, and modern versions of Nginx are configured as virtual hosts by default.

As for why the groundwork is made in order to solve a problem that is easy to encounter below, we will explain in detail when we reach that step.

Upload files

We need to upload two sets of files to the server, and there are two files in each set, one is the CRT certificate file and the other is the KEY key file, which is used to enable SSL support for virtual hosts corresponding to www.williamyao.com and app.williamyao.com.

Here, name each set of two files as follows:

Www.williamyao.com.crt

Www.williamyao.com.key

App.williamyao.com.crt

App.williamyao.com.key

And then send it to the server.

Configure Nginx

Don't worry, it is explained here that the general way to enable SSL is that the main server segment of the virtual host does not listen to port 80, but directly listens to port 443.After the main server segment is configured, a new server segment is opened to listen on port 80 of the same server_name, and the request 301 is redirected to HTTPS.

The advantage of this is that no matter whether the visitor establishes the HTTPS protocol or not (most people who surf the Internet will only enter the domain name, they will not write the agreement first. ), as long as you enter the domain name, Nginx will redirect the request to the SSL host on port 443 upon receiving the request.

Here's what we're going to do, taking me as an example:

SSH to the server and edit the conf configuration files of the two virtual hosts. Let's start with the first one:

Sudo nano / usr/local/nginx/conf/vhost/www.williamyao.com.conf

Add configuration information to the configuration file, and the configured www.williamyao.com.conf file looks like this:

Server {listen 443 ssl; # the following line is used to enable IPv6 support listen [:]: 443 ssl ipv6only=on; server_name www.williamyao.com; # SSL support configuration as follows: ssl on; ssl_certificate / etc/ssl/private/www.williamyao.com.crt; ssl_certificate_key / etc/ssl/private/www.williamyao.com.key;. (other configurations).} server {listen 80 Listen [:]: 80 ipv6only=on; server_name www.williamyao.com; return 301 https://www.williamyao.com$request_uri;}

Then edit another virtual host app.williamyao.com.conf configuration file, like this:

Server {listen 443 ssl; # the following line is used to enable IPv6 support listen [:]: 443 ssl; server_name app.williamyao.com; # SSL support configuration as follows: ssl on; ssl_certificate / etc/ssl/private/app.williamyao.com.crt; ssl_certificate_key / etc/ssl/private/app.williamyao.com.key;. (other configurations).} server {listen 80 Listen [:]: 80; server_name app.williamyao.com; return 301 https://app.williamyao.com$request_uri;}

After all the configuration is complete, restart Nginx or Reload. If nothing happens, go back to the browser and enter the domain name (without HTTPS, by the way, test 301 forwarding). Is everything all right?

Congratulations, your server has been marked as "secure"!

1. Use your own company's information to generate your own CSR file and key file in one of the following ways.

The first one: online generation [https://www.trustasia.com/tools/csr-generator.htm]]

The second kind:

Openssl req-new-nodes-keyout yourname.key-out yourname.csr

Linux command line generation

Third: [https://download.startpki.com/startcom/startcomtool.exe] download and use this tool to generate

two。 Use your own csr and key files to register your domain name on startssl.com and generate your own certificate crt.

[https://startssl.com/Certificates/ApplySSLCert](https://startssl.com/Certificates/ApplySSLCert)

3. Configure and use your own certificate crt on nginx

# server {listen 443; server_name xxx.clcw.com.cn; root html; ssl on; ssl_certificate / home/songaimin/job/nginx-conf/ssl/xxx.clcw.com.cn_bundle.crt; ssl_certificate_key / home/songaimin/job/nginx-conf/ssl/xxx.clcw.com.cn.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1 Ssl_ciphers HIGHV / ssl_prefer_server_ciphers on; location / {}}

Restart the nginx server to see if 443 starts normally. Visit https://xxx.clcw.com.cn to see the address bar, marked with a small green lock. Congratulations on your success!

# 5. Https encryption only for registration and login # since HTTPS can guarantee security, why are most websites around the world still using HTTP? Using the HTTPS protocol is a great load overhead for the server. In terms of performance, we cannot securely encrypt every access request of every user (except, of course, the great god like Google). As an ordinary website, what we pursue is only # security when conducting transactions, password login, etc. You can do this using rewrite by configuring the Nginx server. # add the following configuration under https server: if ($uri! ~ * "/ logging.php$") {rewrite ^ / (. *) $http://$host/$1 redirect;} # add the following configuration under http server: if ($uri ~ * "/ logging.php$") {rewrite ^ / (. *) $https://$host/$1 redirect } # in this way, users will and will only visit logging.php to thank you through https access for reading this article carefully. I hope the article "how to apply for and install a free SSL certificate startssl" shared by the editor will be helpful to you. At the same time, I hope you will support us, pay attention to the industry information channel, and more related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.