要将Nginx配置为使用SSL证书并启用HTTPS,请按照以下步骤操作:
.crt或.pem证书文件和.key私钥文件)nginx -v检查版本)将证书文件上传到服务器,建议放在Nginx配置目录下:
sudo mkdir -p /etc/nginx/ssl
sudo cp your_domain.crt /etc/nginx/ssl/
sudo cp your_domain.key /etc/nginx/ssl/
编辑站点配置文件(通常在/etc/nginx/sites-available/your_site):
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
ssl_certificate /etc/nginx/ssl/your_domain.crt;
ssl_certificate_key /etc/nginx/ssl/your_domain.key;
# 提高安全性配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
# 其他配置...
root /var/www/html;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
# HTTP重定向到HTTPS
server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$server_name$request_uri;
}
生成DH参数(需要较长时间):
sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
然后在Nginx配置中添加:
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
在443端口的server块中添加:
listen 443 ssl http2;
确保已配置DNS解析,并添加:
ssl_trusted_certificate /etc/nginx/ssl/your_domain_chain.crt;
sudo nginx -t
sudo systemctl reload nginx
# 或
sudo service nginx reload
使用以下工具验证SSL配置:
- SSL Labs测试
- 命令行验证:openssl s_client -connect yourdomain.com:443 -servername yourdomain.com
如果使用Let's Encrypt证书,可以设置自动续期:
sudo certbot renew --dry-run
设置cron任务自动续期:
sudo crontab -e
添加:
0 0,12 * * * /usr/bin/certbot renew --quiet
chmod 400 your_domain.keyadd_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;按照以上步骤配置后,您的网站将通过HTTPS安全地提供服务。