1.nginx上的ssl证书部署。
邮件里会收到2段(或3段) -----BEGIN CERTIFICATE-----开头到 -----END CERTIFICATE-----结尾的证书代码。(参考附件)
按照顺序把他们复制保存到一个文件里。文件随意取,比如叫做server.crt.
注:保存的样式(如考虑保存的编码则选择ASNI编码)
-----BEGIN CERTIFICATE-----
xxxxx
xxxx
xxxxx
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
xxxx
xxx
xxx
-----END CERTIFICATE-----
然后和已有的私钥文件(key文件,名字类似key.txt,文件内容开头是-----BEGIN RSA PRIVATE KEY----开头的),就可以去nginx里配置了。
2.conf配置里
添加或者修改这么一段server代码(虚拟主机)
server {
listen 443;
server_name 你们的域名,如www.abc.com;
ssl on;
ssl_certificate /xxx/xxx/server.crt;
ssl_certificate_key /xxx/xxx/key.txt;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
#ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
#ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
#ssl_stapling_verify on; # Requires nginx => 1.3.7
#resolver $DNS-IP-1 $DNS-IP-2 valid=300s;
resolver_timeout 5s;
location / {
root html;
index index.html index.htm;
}
}
下面为配置文件参数说明:
listen 443
SSL访问端口号为443
ssl on
启用SSL功能
ssl_certificate
证书文件server.crt
ssl_certificate_key
私钥文件key.txt
按照以上的步骤配置完成后,重新启动 nginx.