腾讯云nginx部署SSL 证书

为了让访问网站不用被提示访问的链接不安全, 必需要部署SSL 证书
免费的SSL 证书有效期只有一年, 过期了要重新申请重新手动部署

腾讯云nginx部署SSL 证书

申请免费证书

云产品 => SSL 证书 => 申请免费证书

下载用于 nginx 部署的SSL 证书

下载下来是一个 zip 压缩包, 需要把这个压缩包拷贝到云服务器上

拷贝证书到云服务器

Linux

假设 SSL 证书下载到了 ~/Downloads/ 目录下

1
2


cd ~/downloads/
scp xxx.zip IP:~/

这样就把 xxx.zip 传到了云服务器的HOME 目录下

Windows

直接到MobaXterm 登陆云服务器

直接把SSL 证书往箭头处拖就可以拷贝到云服务器了

部署SSL 证书

参考 Nginx 服务器 SSL 证书安装部署

假设已经安装好nginx 了并且443 端口和防火墙都没有问题

解压SSL 证书

1
2


cd ~/
unzip xxx.zip

创建配置文件

1

sudo vim /etc/nginx/conf.d/my_blog.conf

填入内容如下:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103


##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##

# Default server configuration
#
#

server {
	listen 80;
	#listen [::]:80 default_server;

	# SSL configuration
	#
	# listen 443 ssl default_server;
	# listen [::]:443 ssl default_server;
	#
	# Note: You should disable gzip for SSL traffic.
	# See: https://bugs.debian.org/773332
	#
	# Read up on ssl_ciphers to ensure a secure configuration.
	# See: https://bugs.debian.org/765782
	#
	# Self signed certs generated by the ssl-cert package
	# Don't use them in a production server!
	#
	# include snippets/snakeoil.conf;

	root /home/xxx/my_blog/public\\;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name skfwe.cn;
	#rewrite ^(.*)$ https://$host$1 permanent;

	# location / {
	# 	# First attempt to serve request as file, then
	# 	# as directory, then fall back to displaying a 404.
	# 	try_files $uri $uri/ =404;
	# }
	return 301 https://$host$request_uri;

}


server {
    #监听443端口
    listen 443 ssl;     # nginx version > 1.15.0
    #listen 443 default;
    #ssl on;
    #你的域名
    server_name skfwe.cn; 
    #ssl证书的pem文件路径
    ssl_certificate  /home/xxx/skfwe.cn_nginx/skfwe.cn_bundle.crt;
    #ssl证书的key文件路径
    ssl_certificate_key /home/xxx/skfwe.cn_nginx/skfwe.cn.key;
    ssl_session_timeout 5m;
    #请按照以下协议配置
    ssl_protocols TLSv1.2 TLSv1.3; 
    #请按照以下套件配置，配置加密套件，写法遵循 openssl 标准。
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; 
    ssl_prefer_server_ciphers on;
    location / {
	root /home/xxx/my_blog/public\\;
	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;
    }
}


# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
#	listen 80;
#	listen [::]:80;
#
#	server_name example.com;
#
#	root /var/www/example.com;
#	index index.html;
#
#	location / {
#		try_files $uri $uri/ =404;
#	}
#}

server_name 填域名, 一般来说就是ssl 证书压缩包名字的 _nginx.zip 前面的东西

ssl_certificate 填解压 SSL 证书后得到的 pem 文件路径

ssl_certificate_key 填解压 SSL 证书后得到的 key 文件路径

nginx 版本 > 1.15.0 的话

要用

1

    listen 443 ssl;     # nginx version > 1.15.0

替代

1
2


    listen 443 default;
    ssl on;

检查配置文件

1

sudo nginx -t

重新部署 nginx

1

sudo nginx -s reload