1、获取证书
在阿里云等网站上点击购买ssl证书,选择免费型DV SSL证书,一般有效期为一年,只能绑定一个域名。
购买完成后需要绑定域名,几分钟后就会显示“已签发” 。点击下载证书,根据需要下载tomcat或nginx等证书。
下载的证书中有2个文件: xxxx.pem 和xxxx.key
3、nginx安装
安装参考: https://blog.csdn.net/u013792404/article/details/93863306
nginx使用的版本是:nginx-1.16.1.tar.gz
先将域名解析到服务器IP , 然后在服务器上安装nginx
4、配置nginx.conf
将证书 xxxx.pem 和xxxx.key 复制到 nginx/conf/下面 (即和nginx.conf同一目录)
#user nobody;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
upstream server1 {
# 根据实际情况指到具体内网或外网IP
server 192.168.8.101:8080 ;
}
#gzip on;
# HTTPS server
server {
listen 443 ssl ;
server_name www.xxx.com;
ssl_certificate xxxx.pem;
ssl_certificate_key xxxx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES25;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://server1;
# root html;
# index index.html index.htm;
}
}
server {
listen 80;
server_name www.xxx.com;
# 把http的域名请求转成https
rewrite ^(.*)$ https://$host$1 permanent;
#charset koi8-r;
#access_log logs/host.access.log main;
#location / {
# root html;
# index index.html index.htm;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
}
检查nginx.conf是否有语法错误: /usr/local/nginx/sbin/nginx -t
语法错误没问题就可以启动nginx了, /usr/local/nginx/sbin/nginx (重启 /usr/local/nginx/sbin/nginx -s reload)
测试访问正常,
5、踩坑点
网上很多配置方法都是 listen 443 ; 导致访问一致有问题, 最后查看nginx.conf默认配置,后面多了一个ssl (listen 443 ssl ; ), 加上正常访问了, 可能是nginx版本影响的原因 , 因此在上面把默认配置也贴出来了
server {
listen 443 ssl ;
.....}