Shulou(Shulou.com)06/01 Report--

This article mainly introduces "Nginx how to open SSL". In daily operation, I believe many people have doubts about how to open SSL in Nginx. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubts about "Nginx how to open SSL". Next, please follow the editor to study!

Purchase SSL certificate

Since you want to encrypt to improve the security level of the website, it is inevitable to choose a cost-effective SSL. There are many ways to buy SSL certificates, and some of them are free. I have tried some free SSL certificates but feel troublesome, unstable and insecure. Domestic CA institutions CFCA China Financial Certification Center SSL product research and development director also said: website managers and CA institutions should be cautious about free certificates. Because the fee is not very expensive, I chose the more commonly used Comodo PositiveSSL, which is much cheaper than the official website in gogetssl.

We take the Comodo PositiveSSL certificate of gogetssl home as an example to record the process of Nginx configuration and installation of ssl certificate, not to mention the specific principle.

Prepare the certificate

First of all, you need to buy a certificate, Comodo PositiveSSL, which costs only $9.65 for three years.

After the purchase is completed, the email will get several emails, including key code, certificate package and other attachments, and 4 files will be obtained when unzipped. AddTrustExternalCARoot.crt, COMODORSAAddTrustCA.crt, COMODORSADomainValidationSecureServerCA.crt, www_91zll_net.crt, this is the certificate we are going to use.

Tandem certificate

Execute the merge command to generate a new file ssl-bundle.crt

Cat www_91zll_net.crt COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt > ssl-bundle.crt generates the private key

Copy and save the key code in the email just sent by gogetssl, that is, the code between-- BEGIN PRIVATE KEY-- and-- END PRIVATE KEY-- (including these two lines) as a 91zll_net.key file. Use the KEY private key format conversion tool to convert from PKCS8 Key to RSA Key.

Create a certificate storage path

Mkdir-p / etc/ssl/private/

Upload the previously generated 91zll_net.key and ssl-bundle.crt to the server, usually under the / etc/ssl/private/ directory.

Modify Nginx configuration

The following is the configuration of my nginx about ssl, because I want to use https globally, so redirect port 80 to https.

Server {listen 80; server_name 91zll.ne www.91zll.net location / {rewrite (. *) https://www.91zll.net$1 permanent;}} server {listen 443 ssl; server_name 91zll.net www.91zll.net; ssl on; ssl_certificate / etc/ssl/private/ssl-bundle.crt; ssl_certificate_key / etc/ssl/private/91zll_net.key; ssl_stapling on; ssl_stapling_verify on Resolver 8.8.8.8 8.4.4 valid=300s; resolver_timeout 5s; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 Ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH -RSAcopyright Merseyside SHA384AES128After GCMMY SHA384AES128Met SHA256MA256MA256MA256MA256MA126MA126MA128MAA256VIEA256US256, SHAMUMA128MUS128MUS128After SHAVOV AES256MACERC3, the HIGHLLUR HIGHpuraNULLMUR EXPORTRAN DESMOR MD5MOPSKMOR RC4 " Ssl_prefer_server_ciphers on;}

There is no more to say about the meaning of the specific parameters, please google yourself. Test it before using it.

Nginx-t

After the test is clear, restart nginx

Service nginx restart at this point, the "Nginx how to open SSL" study is over, I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.