在我们网站购买的客户,请登录下载证书压缩包,在解压后,您应该能看到Nginx文件夹
里面应该有两个文件:fullchain.crt (服务器证书) private.key (私钥文件)如果为空请将生成CSR时保存的私钥内容粘贴在文件中
环境检测,检测命令如下(测试nginx是否支持SSL)nginx -V
如果有显示 –with-http_ssl_module 表示已编译openssl,支持安装ssl
如果没有安装请下载nginx源码重新编译./configure –with-http_stub_status_module –with-http_ssl_module make && make install
配置Nginxserver { listen 80; listen 443 ssl; server_name www.example.org example.org; ssl_protocols TLSv1.2 TLS1.3 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/fullchain.crt; #您证书文件的路径 ssl_certificate_key /etc/ssl/private.key; ssl_prefer_server_ciphers on;
ssl_ciphers ‘ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA’; #自动跳转到HTTPS (可选) if ($server_port = 80) { rewrite ^(.*)$ https://$host$1 permanent; } location / { root /home/wwwroot; index index.php; } }
以上配置仅供参考,其他参数请根据生产环境需要添加。
安装后重启nginx使其生效service nginx restart #centos6
systemctl restart nginx #centos7
问题排查:
如果使用CDN(加速器),需要在CDN上面安装证书,国内免费加速的都不支持https
检查443端口是否启动 使用下面命令 netstat -apnt | grep 443 (如果没有启动检查配置文件或者端口是否冲突)
443端口如果已经启动,但不能访问,请检查防火墙(或者安全狗) ,允许443端口.
linux iptables使用下面命令:iptables -A INPUT -p tcp -m tcp –dport https -j ACCEPT