1. Certificate application
- To apply for an SSL certificate, there will be two files to download after the application (note to download the nGINx version), Aliyun has a free SSL certificate application
- xxx.key
- xxx.pem
- The nGINx installation version uses 1.16.1
Configure SSL
2.1 Certificate Upload
- Create cert in the nginx installation directory (other name is ok)
- Upload the downloaded SSL certificate file to the CERT
2.2 Server configuration
- Go to the nginx conf folder and open the nginx.conf file
- Uncomment the HTTPS server
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphersHIGH:! aNULL:! MD5;ssl_prefer_server_ciphers on;
location / {
root html;
indexindex.html index.htm; }}Copy the code- The instructions need to be configured
# HTTPS server
server {
Do not delete SSL
listen 443 ssl;
Replace localhost with SSL bound domain name such as www.codecoord.com
# server_name localhost;
server_name www.codecoord.com;
Add default home directory and home page, depending on your own path
root /opt/nginx/html;
index index.html;
Replace # cert.pem and cert.key with the path to upload the file (preferably the full path)
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
ssl_certificate /opt/nginx/cert/cert.pem;
ssl_certificate_key /opt/nginx/cert/cert.key;
# Don't move the bottom
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphersHIGH:! aNULL:! MD5;ssl_prefer_server_ciphers on;
location / {
root html;
indexindex.html index.htm; }}Copy the code- Note that port 443 needs to be enabled for external access (for example, aliyun server needs to configure security group in the console, but it is enabled by default)
2.2.3 Configuring forwarding
- This step is to configure the external access port and force HTTP requests to HTTPS
- Delete unnecessary configurations and leave only the following configurations
server {
# Listening port
listen 80;
Change to your own domain name
server_name www.codecoord.com;
# Force HTTP requests to HTTPS
# rewrite: rewrite directive, $host$, $1: request parameters, permanent: permanent access
rewrite^ (. *) $ https://$hostThe $1 permanent;
}
Copy the code- After the preceding two steps are complete, check whether the configuration is correct. Run the test command in the sbin directory
- ./nginx -t
# Configure success information
[root@TianXin sbin]# ./nginx -t
nginx: the configuration file /opt/Nginx/conf/nginx.conf syntax is ok
nginx: configuration file /opt/Nginx/conf/nginx.conf test is successful
Copy the code- If the test is successful, restart nginx for the configuration to take effect
[root@TianXin sbin]# ./nginx -s reload
Copy the code- For the complete configuration, see section 4
- After you access the domain name, the HTTPS information is displayed
3. Configuration problems
3.1 ngx_http_ssl_module
- Note If the nGINx version is earlier than 1.16.1, the configuration will be changed. For details, see other versions
- If the following error occurs when running./nginx -t, nginx does not have the SSL module installed
[root@tianxin conf]# nginx -t
nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /opt/nginx/conf/nginx.conf:112
nginx: configuration file /opt/nginx/conf/nginx.conf test failed
Copy the code- The solution is to reconfigure nginx and recompile the –with-http_stub_status_module –with-http_ssl_module
- You can either reinstall Nginx (recommended, which avoids many problems) or you don’t need to. You can simply execute the following two commands without reinstalling
# Clear the compile file
make clean
# configuration
./configure --prefix=/opt/nginx --with-http_stub_status_module --with-http_ssl_module
# compiler
make
Copy the code- Do not execute make install or you will overwrite the original file
- Close the nginx
- nginx -s stop
- Copy the directory objs/nginx to replace the previous nginx startup file
- cp objs/nginx /opt/nginx/sbin/
- Finally, start nginx
3.2 ERR_SSL_PROTOCOL_ERROR
- This issue occurred in this version because THE SSL after 443 was removed when LISTENING was configured
server {
Do not remove SSL from the previous version
listen 443ssl; . }Copy the code- The solution is not to omit SSL after 443. Note the space in the middle
4. Configuration example
4.1 Complete SSL Configuration
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name www.codecoord.com codecoord.com;
rewrite^ (. *) $ https://$hostThe $1 permanent;
}
# https
server {
Do not remove SSL
listen 443 ssl;
# replace SSL bound domain name, such as www.codecoord.com
server_name www.codecoord.com;
Add default home directory and home page, depending on your own path
root /opt/nginx/html;
index index.html;
Replace # cert.pem and cert.key with the path to upload the file
ssl_certificate /opt/nginx/cert/www.codecoord.com.pem;
ssl_certificate_key /opt/nginx/cert/www.codecoord.com.key;
# Don't move the bottom
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphersHIGH:! aNULL:! MD5;ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
try_files $uri $uri/ /index.html; # Fix vue page refresh 404 issue}}}Copy the code