nginx安装的时候须要支持:with-http_ssl_module 模块
查看nginx是否支持:/application/nginx/sbin/nginx -V
html
免费证书可以使用阿里云申请获取,这里采用本地生成证书来配置nginx
yum install openssl yum install openssl-devel
cd /application/nginx/conf/cert建立本地私有密钥
openssl genrsa -out ssl.silly.com.key 2048按提示输入相关信息就能够
openssl req -new -key ssl.silly.com.key -out ssl.silly.com.csr建立证书crt
openssl x509 -req -days 1460 -in ssl.silly.com.csr -signkey ssl.silly.com.key -out ssl.silly.com.crt建立证书pem
openssl dhparam -out ssl.silly.com.pem 2048
server_name : 未配置的域名,根据实际需求修改web
配置443端口安全
server { listen 443 ssl; server_name ssl.silly.com; ssl_certificate /application/nginx/conf/cert/ssl.silly.com.crt; ssl_certificate_key /application/nginx/conf/cert/ssl.silly.com.key; #ssl_dhparam /application/nginx/conf/cert/ssl.silly.com.pem; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }
因为ssl证书配置的路径比较长,在配置完成后,可采用cat查看文件内容及可检查路径是否配置正确session
cat /application/nginx/conf/cert/ssl.silly.com.crt; cat /application/nginx/conf/cert/ssl.silly.com.key; cat /application/nginx/conf/cert/ssl.silly.com.pem;
将http重定向到httpsapp
server { listen 80; server_name ssl.silly.com; rewrite ^(.*)$ https://$host$1 permanent; location / { return 301 https://ssl.silly.com:443$request_uri; } }
检查配置文件svg
/application/nginx/sbin/nginx -t
加载配置文件工具
/application/nginx/sbin/nginx -s reload
效果展现网站
server { listen 443 ; ssl on; ... }