×ðÁú¿­Ê±¹ÙÍøµÇ¼

Nginx HTTPSÉèÖý̳Ì £¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²

nginx httpsÉèÖý̳Ì £¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²

Ëæ×Å»¥ÁªÍøµÄѸÃÍÉú³¤ £¬ÍøÕ¾Çå¾²ÎÊÌâÈÕÒæÊܵ½ÖØÊÓ¡£ÎªÁ˱£»¤ÍøÕ¾Êý¾ÝµÄ´«ÊäÇå¾² £¬Ê¹ÓÃHTTPSЭÒéÊÇÒ»¸öºÜÊÇÖ÷ÒªµÄ²½·¥¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃNginxÉèÖÃHTTPS £¬È·±£ÍøÕ¾µÄÊý¾Ý´«ÊäÇå¾²¡£

Ò»¡¢×°ÖÃSSLÖ¤Êé

ÔÚÉèÖÃHTTPS֮ǰ £¬ÎÒÃÇÐèÒª»ñµÃÒ»¸öSSLÖ¤Êé £¬ÒÔÈ·±£ÍøÕ¾µÄÉí·ÝºÍÊý¾Ý´«ÊäµÄÇå¾²ÐÔ¡£Äã¿ÉÒÔ´ÓµÚÈý·½Ö¤ÊéÊÚȨ»ú¹¹£¨CA£©¹ºÖÃÖ¤Êé £¬»òÕßʹÓÃÃâ·ÑµÄ¿ªÔ´Ö¤ÊéÌìÉú¹¤¾ßÈçLet’s Encrypt¡£

×°ÖÃÖ¤ÊéµÄ°ì·¨ÈçÏ£º

ÏÂÔØÖ¤Ê飺½«Ö¤ÊéÎļþ£¨°üÀ¨¹«Ô¿¡¢Ë½Ô¿ºÍÖ¤ÊéÁ´£©ÏÂÔص½Ð§ÀÍÆ÷ÉÏ¡£Í¨³£ £¬Ö¤ÊéÎļþµÄÀ©Õ¹ÃûΪ.crtºÍ.key¡£

½¨ÉèSSL´æ´¢Îļþ£ºÊ¹ÓÃopensslÏÂÁ.crtºÍ.keyÎļþºÏ²¢ÎªÒ»¸ö.pemÃûÌõÄÎļþ£º

openssl rsa -in privateKey.key -text > privateKey.pem

openssl x509 -inform PEM -in certificate.crt > certificate.pem

cat privateKey.pem certificate.pem > ssl.crt

¶þ¡¢NginxÉèÖÃHTTPS

·­¿ªNginxÉèÖÃÎļþ£ºÍ¨³£Î»ÓÚ/etc/nginx/nginx.conf»ò/usr/local/nginx/conf/nginx.conf¡£

Ìí¼ÓHTTPSЧÀͿ飺ÔÚhttp¿éÄÚ £¬Ìí¼ÓÈçÏÂÉèÖãº

server {

listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /path/to/ssl.crt;
ssl_certificate_key /path/to/privateKey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
......

µÇ¼ºó¸´ÖÆ

}

listen 443 ssl£º¼àÌýHTTPSЭÒéµÄĬÈ϶˿Ú443 £¬²¢ÆôÓÃSSL¡£

server_name£ºÌ滻ΪÄãµÄÓòÃû¡£

ssl_certificate£ºÖ¸¶¨SSLÖ¤ÊéµÄ·¾¶¡£

ssl_certificate_key£ºÖ¸¶¨SSL˽ԿµÄ·¾¶¡£

ssl_protocols£ºÖ¸¶¨Ö§³ÖµÄSSL/TLSЭÒé°æ±¾¡£

ssl_ciphers£ºÖ¸¶¨Ö§³ÖµÄ¼ÓÃÜËã·¨¡£

ÉèÖÃHTTPµ½HTTPSµÄÖض¨Ïò£ºÔÚhttp¿éÄÚ £¬Ìí¼ÓÈçÏÂÉèÖãº

server {

listen 80;
server_name yourdomain.com;
return 301 https://$server_name$request_uri;

µÇ¼ºó¸´ÖÆ

}

µ±Óû§»á¼ûHTTPÍøַʱ £¬Nginx»á×Ô¶¯½«ÆäÖض¨Ïòµ½HTTPSÍøÖ·¡£

ÉúÑIJ¢ÖØмÓÔØÉèÖãºÉúÑÄÉèÖÃÎļþ²¢Ö´ÐÐÒÔÏÂÏÂÁîÖØÆôNginxЧÀÍ£º

sudo service nginx restart

ÖÁ´Ë £¬ÄãÒÑÀÖ³ÉÉèÖÃÁËNginxµÄHTTPSЧÀÍ¡£

Èý¡¢ÓÅ»¯HTTPSÉèÖÃ

ΪÁ˽øÒ»²½Ìá¸ßÍøÕ¾µÄÇå¾²ÐÔºÍÐÔÄÜ £¬Äã¿ÉÒÔ½ÓÄÉÒÔÏÂÓÅ»¯²½·¥£º

¿ªÆôHTTP/2ЭÒ飺ʹÓÃNginxµÄHTTP/2Ä£¿é £¬½«HTTPSЭÒéÉý¼¶µ½HTTP/2 £¬ÌáÉýÍøÕ¾µÄ¼ÓÔØËÙÂʺÍÐÔÄÜ¡£

ÔÚserver¿éÖÐÌí¼Ó£º

listen 443 ssl http2;

ÆôÓÃOCSP Stapling£ºOCSP StaplingÊÇÒ»ÖÖÌá¸ßSSLÑéÖ¤ËÙÂʺÍÇå¾²ÐÔµÄÊÖÒÕ¡£ÔÚserver¿éÖÐÌí¼Ó£º

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.8.8 8.8.4.4 valid=300s;

resolver_timeout 5s;

ÉèÖÃHTTP Strict Transport Security£¨HSTS£©£ºHSTS¿ÉÒÔÇ¿Öƽ«ËùÓеÄHTTPÇëÇóÖض¨Ïòµ½HTTPS £¬²¢±ÜÃâÖÐÑëÈ˹¥»÷¡£

ÔÚserver¿éÖÐÌí¼Ó£º

add_header Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;

ËÄ¡¢HTTPSÉèÖÃÖеij£¼ûÎÊÌâÏ¢Õù¾ö¼Æ»®

ÉèÖÃHTTPSʱ £¬¿ÉÄÜ»áÓöµ½Ò»Ð©³£¼ûµÄÎÊÌâ¡£ÒÔÏÂÊÇһЩ³£¼ûÎÊÌâ¼°Æä½â¾ö¼Æ»®£º

ÉèÖÃÎļþ¹ýʧ£º¼ì²éNginxÉèÖÃÎļþÊÇ·ñ׼ȷ £¬ÓÈÆäÊÇssl_certificateºÍssl_certificate_keyµÄ·¾¶ÊÇ·ñ׼ȷ¡£

Ö¤Êé¹ýʧ£ºÈ·±£ÄãµÄSSLÖ¤ÊéÓÐÓÃÇÒÓëÓòÃûÆ¥Åä¡£¿ÉÒÔÔÚä¯ÀÀÆ÷ÖÐÑéÖ¤Ö¤ÊéµÄÓÐÓÃÐÔ¡£

·À»ðǽÎÊÌ⣺ÈôÊÇÄãʹÓÃÁË·À»ðǽ £¬È·±£¶Ë¿Ú443£¨HTTPSЭÒ飩ÊÇ¿ª·ÅµÄ¡£

SSL/TLSЭÒéÎÊÌ⣺ÓÐЩ¿Í»§¶Ë¿ÉÄܲ»Ö§³Ö¾É°æ±¾µÄSSL/TLSЭÒé¡£ÔÚssl_protocolsÖÐÖ»±£´æTLSv1.2 £¬¿ÉÒÔ½â¾ö´ËÎÊÌâ¡£

½áÓï

ͨ¹ýNginxÉèÖÃHTTPSЭÒé £¬ÎÒÃÇ¿ÉÒÔΪÍøÕ¾ÌṩԽ·¢Çå¾²µÄÊý¾Ý´«ÊäͨµÀ¡£±¾ÎÄÏÈÈÝÁËÔõÑù×°ÖÃSSLÖ¤ÊéºÍÉèÖÃNginxµÄHTTPSЧÀÍ £¬²¢ÌṩÁËһЩÓÅ»¯ÉèÖúͳ£¼ûÎÊÌâµÄ½â¾ö¼Æ»®¡£Ï£ÍûÕâƪÎÄÕ¶ÔÄãÓÐËù×ÊÖú £¬ÈÃÄãµÄÍøÕ¾Êý¾Ý´«ÊäÔ½·¢Çå¾²¿É¿¿¡£

ÒÔÉϾÍÊÇNginx HTTPSÉèÖý̳Ì £¬±£»¤ÍøÕ¾Êý¾Ý´«ÊäÇå¾²µÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í×ðÁú¿­Ê±¹ÙÍøµÇ¼ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ×ðÁú¿­Ê±¹ÙÍøµÇ¼

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
ÍøÕ¾µØͼ