Nginx配置ssl证书-一级域名二级域名的配置

/ PHPNginx / 0 条评论 / 1160浏览

配置ssl证书

申请证书

因本人用的是腾讯云,所以,这里只介绍腾讯云证书申请步骤

  1. 到腾讯云申请证书界面:https://console.cloud.tencent.com/ssl

  2. 点击申请证书(前提是域名备案好)

image

  1. 选择左边的免费,点击确定

  2. 填写资料

image

  1. 点击下一步

image

  1. 确认申请之后,等待邮件通知即可

image


上传到服务器nginx目录下的conf文件夹中

注意:这里可以在conf文件夹中再创建一个文件夹,在nginx.conf配置文件中直接写这个文件夹的路径即可,具体看下面的配置文件。

image


修改Nginx配置文件

vim /usr/local/src/nginx/conf/nginx.conf

nginx.conf文件添加如下内容

# 配置http转https
server {
        listen 80;
    	index index.php index.htm index.html; 
        server_name hxxzt.com www.hxxzt.com;
	    return 301 https://www.hxxzt.com$request_uri;
 }

# 主页ssl证书配置
server {
        listen 443;
        server_name www.hxxzt.com;
        ssl on;     
        ssl_certificate  /usr/local/src/nginx/conf/indexssl/1_www.hxxzt.com_bundle.crt;
        ssl_certificate_key  /usr/local/src/nginx/conf/indexssl/2_www.hxxzt.com.key;
        ssl_session_timeout 5m;
    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;
        location / {
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Host $http_host;
            proxy_set_header X-NginX-Proxy true;
            proxy_pass http://127.0.0.1:8080/;
            proxy_redirect off;
        	}

	}
# 配置music.hxxzt.com的证书
server {
        listen 443;
        server_name music.hxxzt.com;
        ssl on;
        ssl_certificate /usr/local/src/nginx/conf/musicssl/1_music.hxxzt.com_bundle.crt;
        ssl_certificate_key /usr/local/src/nginx/conf/musicssl/2_music.hxxzt.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

location / {
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header Host $http_host;
	proxy_set_header X-NginX-Proxy true;
	proxy_pass http://127.0.0.1:8090/;
    proxy_redirect off;
 	   }


	}	

# 配置http自动转https
server {
        listen 80;
        index index.php index.htm index.html;
        server_name music.hxxzt.com; 
        return 301 https://music.hxxzt.com$request_uri;
 }

# 配置pay.hxxzt.com的证书
server {
        listen 443;
        server_name pay.hxxzt.com;
        ssl on;
        ssl_certificate /usr/local/src/nginx/conf/payssl/1_pay.hxxzt.com_bundle.crt;
        ssl_certificate_key /usr/local/src/nginx/conf/payssl/2_pay.hxxzt.com.key;
        ssl_session_timeout 5m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_prefer_server_ciphers on;

location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://127.0.0.1:8091;
        proxy_redirect off;
           }
        }
# 配置http转https
server {
        listen 80;
        index index.php index.htm index.html;
        server_name pay.hxxzt.com;
        return 301 https://pay.hxxzt.com$request_uri;
 }

如上是本人网站nginx配置ssl证书的配置,因为是免费的证书,不是泛域名证书,所以要申请多个证书,腾讯云一个域名可以申请20张免费证书。


检测nginx配置文件的正确性

进入到/usr/local/src/nginx/sbin目录下,使用./nginx -t命令查看

出现如图所示错误,处理办法如下

去nginx解压目录下执行

./configure --prefix=/usr/local/src/nginx --with-http_ssl_module

注意:这里前面加了--prefix指定了安装目录,因为之前安装Nginx的时候,指定了目录,所以如果你是默认的没有指定安装目录,那么,可以删除这句再执行。

如果报错 ./configure: error: SSL modules require the OpenSSL library.则依次执行

image

yum -y install openssl openssl-devel
./configure --prefix=/usr/local/src/nginx
./configure --prefix=/usr/local/src/nginx --with-http_ssl_module

执行make(切记千能make install 会覆盖安装目录)

将原来的nginx备份

cp /usr/local/src/nginx/sbin/nginx /usr/local/src/nginx/sbin/nginx.bak

将新的nginx覆盖旧安装目录

cp objs/nginx /usr/local/src/nginx/sbin/nginx

覆盖需要确认

image

测试 nginx 是否正确

到/usr/local/src/nginx/sbin目录下执行./nginx -t命令,检测conf文件是否正确,正确则返回ok和successful image

最终效果

image

网站运行: