Home > Operation and Maintenance > Nginx > How to configure ssl in nginx

How to configure ssl in nginx

WBOY
Release: 2023-05-12 17:58:24
forward
6716 people have browsed it

One-way SSL configuration example:

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    location / {
    }
}
Copy after login

Configuration instructions:

1. 443端口为ssl监听端口。
2. ssl on表示打开ssl支持。
3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。
4. ssl_certificate_key指定key文件所在路径。
5. ssl_protocols指定SSL协议。
6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。
7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。
Copy after login

Note:

nginx is not enabled by default during source code installation The ssl module needs to be recompiled and installed. The installation command is as follows:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
Copy after login
make && make install
Copy after login

Then restart nginx

Dual-line SSL configuration example

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    ssl_client_certificate ca.crt; //这里的ca.crt是根证书公钥文件    ssl_verify_client on;
    location / {
    }
}
Copy after login

Instructions:

There are two more lines in bold than one-way, but after two-way is configured, the server will also authenticate the client's certificate. Under normal circumstances, our one-way SSL is more commonly used.

Note:

Because our certificate is a certificate issued by a self-built CA, the browser does not trust the certificate, so when accessing, it will prompt "The certificate is not valid" Trusted”.

In this case, you only need to import the CA's root certificate into the "Trusted Root Certification Authority" in the browser and you will no longer be prompted with "The certificate is not trusted".

The method of exporting the certificate available for windows is as follows:

[root@localhost root_ca]# openssl pkcs12 -export -inkey private/ca.key -in
Copy after login

Copy the exported certificate to windows, double-click to install, and follow the wizard to import it to the "Trusted Root Certification Authority".

The above is the detailed content of How to configure ssl in nginx. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:yisu.com
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template