要在Nginx上配置SSL实现HTTPS访问,您需要完成以下步骤:
推荐使用Let's Encrypt免费证书:
sudo apt install certbot python3-certbot-nginx
sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
或者手动获取证书后,确保有以下文件: - 证书文件(通常为.crt或.pem) - 私钥文件(通常为.key)
编辑Nginx配置文件(通常在/etc/nginx/sites-available/yourdomain.com):
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourdomain.com www.yourdomain.com;
# SSL证书配置
ssl_certificate /path/to/your/certificate.crt;
ssl_certificate_key /path/to/your/private.key;
# SSL优化配置
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# 现代加密套件
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
# HSTS (可选但推荐)
add_header Strict-Transport-Security "max-age=63072000" always;
# 其他配置...
root /var/www/yourdomain.com/html;
index index.html index.htm index.nginx-debian.html;
location / {
try_files $uri $uri/ =404;
}
}
添加以下server块来重定向所有HTTP请求到HTTPS:
server {
listen 80;
listen [::]:80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri;
}
sudo nginx -t # 测试配置是否正确
sudo systemctl reload nginx # 重新加载配置
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /path/to/chain.crt;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
sudo openssl dhparam -out /etc/nginx/dhparam.pem 4096
然后在Nginx配置中添加:
ssl_dhparam /etc/nginx/dhparam.pem;
设置cron任务自动续期:
sudo crontab -e
添加以下行(每周尝试续期):
0 0 * * 0 /usr/bin/certbot renew --quiet --post-hook "systemctl reload nginx"
使用以下工具验证您的SSL配置:
- SSL Labs Test
- curl -vI https://yourdomain.com
通过以上步骤,您的网站现在应该可以通过HTTPS安全访问了。