|
本教程使用StartSSL提供的免费SSL证书+LNMP环境为例
Step01: 申请SSL证书,然后下载相关证书文件
如何申请StartSSL免费SSL证书?自己Google或百度相关教程,这里就不写了。
Step02: 操作服务端,创建存放证书文件目录,上传之
1 |
mkdir -p /usr/local/nginx/conf/ssl |
2 |
cd /usr/local/nginx/conf/ssl |
Step03: 将中间证书和域名证书合并成一个,顺便更改根证书后缀
1 |
cat sub.class1.server.ca.pem >> yourdomain.crt && rm -f sub.class1.server.ca.pem && mv ca.pem ca.crt |
Step04: 检查一下刚才合并的域名证书有无出错
END和BEGIN必须是上下隔开,不可以同一行并排,否则会出错的。
1 |
-----END CERTIFICATE----------BEGIN CERTIFICATE----- |
如果你见到的内容是上面这样,那就手动修改一下,改成上下两行。
1 |
-----END CERTIFICATE----- |
2 |
-----BEGIN CERTIFICATE----- |
Step05: 如果你在StartSSL申请的证书有填写key密码的话,那么就得配置key文件避免重启Nginx时需要输入key密码
1 |
openssl rsa -in yourdomain.key -out yourdomain.key.unsecure |
Step06: 添加SSL参数到nginx的域名配置文件
1 |
vim /usr/local/nginx/conf/vhost/yourdmain.conf |
在server {}底部添加SSL参数
04 |
server_name my.miefen.com; |
05 |
index index.html index.htm index.php; |
06 |
root /home/wwwroot/my.miefen.com; |
09 |
ssl_certificate /usr/local/nginx/conf/ssl/my.miefen.com.crt; |
10 |
ssl_certificate_key /usr/local/nginx/conf/ssl/my.miefen.com.key.unsecure; |
11 |
ssl_trusted_certificate /usr/local/nginx/conf/ssl/ca.crt; |
12 |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 SSLv3; |
13 |
ssl_session_cache builtin:1000 shared:SSL:10m; |
14 |
ssl_prefer_server_ciphers on; |
15 |
ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; |
17 |
location ~ .*\.(php|php5)?$ |
19 |
fastcgi_pass unix:/tmp/php-cgi.sock; |
20 |
fastcgi_index index.php; |
21 |
fastcgi_param HTTPS on; |
按一下”Esc”键退出编辑模式,按住Shift不放再按两下”z”即可保存
Step07: 检查nginx文件配置是否正确
1 |
/usr/local/nginx/sbin/nginx -t |
如果没有错误提示的话,重启nginx即可
1 |
/etc/init.d/nginx restart |
完。
(责任编辑:IT) |
