blog
blog copied to clipboard
Published
20 hours ago •
chenshenhai
chenshenhai
Nginx配置HTTPS证书
注意: 本文章是生成 Let's Encrypt 免费HTTPS证书,有效期3个月,需要有域名的所有权,有一台线上服务器。
生成HTTPS证书
创建帐号
在服务器中建一个目录
mkdir my_ssl
cd my_ssl
openssl genrsa 4096 > account.key
创建 CSR 文件
openssl genrsa 4096 > domain.key
openssl req -new -sha256 -key domain.key -out domain.csr
后续过程要输入 域名信息
配置 Nginx 验证服务
server {
server_name example.com;
location ^~ /.well-known/acme-challenge/ {
alias /home/xxx/www/my-ssl/;
try_files $uri =404;
}
location / {
rewrite ^/(.*)$ https://yoursite.com/$1 permanent;
}
}
获取网站证书
wget https://raw.githubusercontent.com/diafygi/acme-tiny/master/acme_tiny.py
python acme_tiny.py --account-key ./account.key --csr ./domain.csr --acme-dir ~/www/challenges/ > ./signed.crt
结合中间证书和网站证书
wget -O - https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem > intermediate.pem --no-check-certificate
cat signed.crt intermediate.pem > chained.pem
结合根证书和中间证书
wget -O - https://letsencrypt.org/certs/isrgrootx1.pem > root.pem --no-check-certificate
cat intermediate.pem root.pem > full_chained.pem
配置Nginx
server {
listen 443 ssl;
server_name example.com;
ssl_certificate ~/www/my-ssl/chained.pem;
ssl_certificate_key ~/www/my-ssl/domain.key;
location / {
proxy_pass http:/example.com;
}
}
/xxx/nginx/sbin/nginx -c /xxx/nginx/conf/nginx.conf
/xxx/nginx/sbin/nginx -s stop
user root;
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name example.com www.example.com;
location / {
proxy_pass http://127.0.0.1:8080;
}
location ^~ /.well-known/acme-challenge/ {
alias ~/example.com/ssl/;
try_files $uri =404;
}
}
server {
listen 6001;
server_name localhost;
location / {
root ~/example.com/web/;
index index.html;
}
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate ~/example.com/ssl/chained.pem;
ssl_certificate_key ~/example.com/ssl/domain.key;
location / {
proxy_pass http://example.com;
}
}
}