申请免费1年SSL文件
1- 首先去腾讯云申请
2- 然后解析域名获取认证
3- 下载.key和.crt 两个文件.
配置SSL
方法1: 按照腾讯云有个问题. 如果root放html默认是在/usr/localhost/nginx/html目录下,如果换目录提示403
server {
listen 443;
server_name www.domain.com; #填写绑定证书的域名
ssl on;
ssl_certificate 1_www.domain.com_bundle.crt;
ssl_certificate_key 2_www.domain.com.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;#按照这个套件配置
ssl_prefer_server_ciphers on;
location / {
root html; #站点目录
index index.html index.htm;
}
}
方法2: 直接lnmp安装目录,只是安装好了需另外修改下.crt和.key的路径. 默认只到目录位置.为后续方便,整体代码都贴上.
server
{
listen 80;
#listen [::]:80;
server_name json.video ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/json.video;
include other.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/json.video.log;
}
server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name json.video ;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/json.video;
ssl on;
ssl_certificate /home/sslkey/1_json.video_bundle.crt;
ssl_certificate_key /home/sslkey/2_json.video.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_session_cache builtin:1000 shared:SSL:10m;
# openssl dhparam -out /usr/local/nginx/conf/ssl/dhparam.pem 2048
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
include other.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /home/wwwlogs/json.video.log;
}
重定向https:
在http的server里增加
rewrite ^(.*) https://$host$1 permanent;
提示500错误
在index.php中加入以下2行并重启lnmp环境
error_reporting(E_ALL);
ini_set('display_errors', 'On');
如果是提示open_basedir() 问题, 则在以下路径 /usr/local/nginx/conf/fastcgi.conf
文件最下面修改为以下
# fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:tmp/:/proc/';
fastcgi_param PHP_ADMIN_VALUE "open_basedir=$document_root/:tmp/:/proc/:/home/wwwroot/default/basic/';
配置完ssl 无法重启nginx,https配置失效
重启nginx提示以下
Stoping nginx... nginx: [emerg] PEM_read_bio_X509_AUX("/home/sslkey") failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
failed. Use force-quit
原因可能是2个.
1- 默认的lnmp只加了路径,文件名没有加上去.
ssl_certificate /home/key_dir/1_json.video_bundle.crt;
ssl_certificate_key /home/key_dir/2_json.video.key;
2- 可能是crt生成时候里面没有换行.