配置 https 之前首先要确保已经有
http 证书和私钥文件,证书是*.crt文件,私钥是*.key文件。怎么申请证书这里不再说明,很多机构都可以免费发放证书,在腾讯云,阿里云或者七牛等等随便找个机构申请一个即可。
假设域名和证书的对应关系如下:
www.maqian.io
|
1 2 |
/etc/conf/ssl/1_www.maqian.io_bundle.crt /etc/conf/ssl/2_www.maqian.io.key |
maqian.io
|
1 2 |
/etc/conf/ssl/1_maqian.io_bundle.crt /etc/conf/ssl/2_maqian.io.key |
则 nginx 中 maqian.io.conf 的配置文件为:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 |
server { listen 443; server_name www.maqian.io; ssl on; ssl_certificate /etc/ssl/1_www.maqian.io_bundle.crt; ssl_certificate_key /etc/ssl/2_www.maqian.io.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置 ssl_prefer_server_ciphers on; location / { root html; #站点目录 index index.html index.htm; } } server { listen 443; server_name maqian.io; ssl on; ssl_certificate /etc/ssl/1_maqian.io_bundle.crt; ssl_certificate_key /etc/ssl/2_maqian.io.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置 ssl_prefer_server_ciphers on; location / { root html; #站点目录 index index.html index.htm; } } |
如果需要全站强制开启 https,还需要在配置文件中添加以下内容:
|
1 2 3 4 5 |
server { listen 80; server_name www.maqian.io maqian.io; rewrite ^(.*)$ https://$host$1 permanent; } |