Home >Operation and Maintenance >Nginx >How to configure ssl in nginx

How to configure ssl in nginx

WBOY
WBOYforward
2023-05-12 17:58:246715browse

One-way SSL configuration example:

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    location / {
    }
}

Configuration instructions:

1. 443端口为ssl监听端口。
2. ssl on表示打开ssl支持。
3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。
4. ssl_certificate_key指定key文件所在路径。
5. ssl_protocols指定SSL协议。
6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。
7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。

Note:

nginx is not enabled by default during source code installation The ssl module needs to be recompiled and installed. The installation command is as follows:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install

Then restart nginx

Dual-line SSL configuration example

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    ssl_client_certificate ca.crt; //这里的ca.crt是根证书公钥文件    ssl_verify_client on;
    location / {
    }
}

Instructions:

There are two more lines in bold than one-way, but after two-way is configured, the server will also authenticate the client's certificate. Under normal circumstances, our one-way SSL is more commonly used.

Note:

Because our certificate is a certificate issued by a self-built CA, the browser does not trust the certificate, so when accessing, it will prompt "The certificate is not valid" Trusted”.

In this case, you only need to import the CA's root certificate into the "Trusted Root Certification Authority" in the browser and you will no longer be prompted with "The certificate is not trusted".

The method of exporting the certificate available for windows is as follows:

[root@localhost root_ca]# openssl pkcs12 -export -inkey private/ca.key -in

Copy the exported certificate to windows, double-click to install, and follow the wizard to import it to the "Trusted Root Certification Authority".

The above is the detailed content of How to configure ssl in nginx. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:yisu.com. If there is any infringement, please contact admin@php.cn delete