Nginx server https configuration method example

Linux: Linux version 3.10.0-123.9.3.el7.x86_64

Nginx: nginx/1.6.3

openssl:1.0.1e

Apply for a certificate

Currently, there are many organizations on the Internet that provide free personal SSL certificates, with validity periods ranging from a few months to a few years. Taking StartSSL: https://www.startssl.com as an example, the validity period is 3 years after a successful application, and it can be renewed for free after expiration.

The specific application process is also very simple.

After registering and logging in, select Certificates Wizard >> DV SSL Certificate to apply for a free SSL certificate.

After verifying the domain name via email, generate the CSR of the SSL certificate on your own server. Remember the secret you entered , which you will need later:

openssl req -newkey rsa:2048 -keyout weizhimiao.cn.key -out weizhimiao.cn.csr

Put the generated certificate into the specified directory, such as /data/secret/ . Check the contents of the certificate weizhimiao.csr , copy the contents to the Certificate Signing Request (CSR) section on the page, and submit the page.

Download the generated certificate and select the corresponding web server (Nginx, 1_weizhimiao.cn_bundle.crt), so that we have both the private key and the public key.

• 1_weizhimiao.cn_bundle.crt (public key)
• weizhimiao.cn.key (private key)

nginx configuration (add https to the specified domain name)

Current configuration of nginx.conf

...
http {
 ...
 include /etc/nginx/conf.d/*.conf;

 server {
  ...
 }
}

Add to ./conf.d/weizhimiao.cn.conf

server{
 listen 443 ssl;
 server_name weizhimiao.cn;

 ssl_certificate /data/secret/1_weizhimiao.cn_bundle.crt;
 ssl_certificate_key /data/secret/weizhimiao.cn.key;
 ssl_prefer_server_ciphers on;
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

 ssl_ciphers 'kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 kEECDH+AES128 kEECDH+AES256 kEDH+AES128 kEDH+AES256 DES-CBC3-SHA +SHA !aNULL !eNULL !LOW !MD5 !EXP !DSS !PSK !SRP !kECDH !CAMELLIA !RC4 !SEED';

 add_header Strict-Transport-Security 'max-age=31536000; preload';
 add_header X-Frame-Options DENY;
 ssl_session_cache shared:SSL:10m;
 ssl_session_timeout 10m;
 keepalive_timeout 70;
 ssl_dhparam /data/secret/dhparam.pem;

 add_header X-Content-Type-Options nosniff;

 add_header X-Xss-Protection 1;

 root /data/www/weizhimiao.cn;
 index index.html;

 location / {

 }
}

Note:

The configuration uses a /data/secret/dhparam.pem file, which is a key file in PEM format and is used in TLS sessions. Used to enhance the security of SSL. Generate this file method,

cd /data/secret/
openssl dhparam 2048 -out dhparam.pem

Redirect the original access to port 80. Add to ./conf.d/weizhimiao.cn.conf

server{
 listen 80;
 server_name weizhimiao.cn;
 return 301 https://weizhimiao.cn$request_uri;
}

test

Check whether there are any syntax errors in the configuration file. You need to enter the password you entered when generating the public key.

nginx -t
Enter PEM pass phrase:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Restart Nginx (remember, reload does not work)

nginx -s stop
Enter PEM pass phrase:
nginx
Enter PEM pass phrase:

Use the browser to access weizhimiao.cn and check whether it is effective.

In addition, after Nginx is configured with a security certificate, you need to enter a password for each reload, stop, and other operations on Nginx.

You can generate a decrypted key file to replace the original key file.

cd /data/secret/
openssl rsa -in weizhimiao.cn.key -out weizhimiao.cn.key.unsecure

Replace the weizhimiao.cn.key file in weizhimiao.cn.conf .

server {
 ...
 ssl_certificate /data/secret/1_weizhimiao.cn_bundle.crt;
 ssl_certificate_key /data/secret/weizhimiao.cn.key.unsecure;
 ...
}

After that, you don't need to enter the password every time you reload.

Finally, use SSLLABS to test it.

result

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.