search
HomeOperation and MaintenanceNginxHow to configure ssl in nginx

One-way SSL configuration example:

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    location / {
    }
}

Configuration instructions:

1. 443端口为ssl监听端口。
2. ssl on表示打开ssl支持。
3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。
4. ssl_certificate_key指定key文件所在路径。
5. ssl_protocols指定SSL协议。
6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。
7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。

Note:

nginx is not enabled by default during source code installation The ssl module needs to be recompiled and installed. The installation command is as follows:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install

Then restart nginx

Dual-line SSL configuration example

server{
    listen 443 ssl;
    server_name www.123.com;
    root /data/wwwroot/www.123.com/ ;
    index index.html ;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
    ssl_prefer_server_ciphers on;
    ssl_client_certificate ca.crt; //这里的ca.crt是根证书公钥文件    ssl_verify_client on;
    location / {
    }
}

Instructions:

There are two more lines in bold than one-way, but after two-way is configured, the server will also authenticate the client's certificate. Under normal circumstances, our one-way SSL is more commonly used.

Note:

Because our certificate is a certificate issued by a self-built CA, the browser does not trust the certificate, so when accessing, it will prompt "The certificate is not valid" Trusted”.

In this case, you only need to import the CA's root certificate into the "Trusted Root Certification Authority" in the browser and you will no longer be prompted with "The certificate is not trusted".

The method of exporting the certificate available for windows is as follows:

[root@localhost root_ca]# openssl pkcs12 -export -inkey private/ca.key -in

Copy the exported certificate to windows, double-click to install, and follow the wizard to import it to the "Trusted Root Certification Authority".

The above is the detailed content of How to configure ssl in nginx. For more information, please follow other related articles on the PHP Chinese website!

Statement
This article is reproduced at:亿速云. If there is any infringement, please contact admin@php.cn delete
等不及通用控制?现在通过 Barrier 在 Mac、PC 之间共享键盘和鼠标等不及通用控制?现在通过 Barrier 在 Mac、PC 之间共享键盘和鼠标Apr 14, 2023 pm 12:04 PM

如何使用 Barrier 在 Mac / PC 之间共享键盘和鼠标您需要确保要与其共享鼠标和键盘的计算机都在同一个网络上,并且在初始设置期间您将在不同的 Mac 之间来回切换。在此处获取最新版本的 Barrier(适用于 Mac 的 DMG,适用于 Windows 的 exe)– 将其下载到您希望能够使用键盘和鼠标的每台计算机上将 Barrier 从 DMG(或使用 exe 安装到 Windows)复制到您打算使用它的每台 Mac 上的 /Applications 文件夹,然后右键单击 Barr

Java8(291)之后禁用了TLS1.1使JDBC无法用SSL连接SqlServer2008怎么解决Java8(291)之后禁用了TLS1.1使JDBC无法用SSL连接SqlServer2008怎么解决May 16, 2023 pm 11:55 PM

Java8-291之后,禁用了TLS1.1,使JDBC无法用SSL连接SqlServer2008怎么办,以下是解决办法修改java.security文件1.找到jre的java.security文件如果是jre,在{JAVA_HOME}/jre/lib/security中,比如????C:\ProgramFiles\Java\jre1.8.0_301\lib\security如果是Eclipse绿色免安装便携版在安装文件夹搜索java.security,比如????xxx\plugins\org

MySQL: SSL 连接简介及设置步骤MySQL: SSL 连接简介及设置步骤Sep 08, 2023 pm 03:51 PM

MySQL:SSL连接简介及设置步骤摘要:MySQL提供了SSL(SecureSocketsLayer)连接来加密在客户端和服务器之间传输的数据。本文将介绍SSL连接的概念和作用,并提供在MySQL中设置SSL连接的步骤以及相关的代码示例。导语:随着网络和数据传输的不断扩大,数据安全性变得越来越重要。通过使用SSL连接,我们可以加

Nginx与SSL:配置HTTPS保护Web服务器Nginx与SSL:配置HTTPS保护Web服务器Jun 09, 2023 pm 09:24 PM

Nginx是一个高性能的Web服务器软件,同时也是一款强大的反向代理服务器和负载均衡器。随着互联网的迅速发展,越来越多的网站开始采用SSL协议保护敏感用户数据,而Nginx也提供了强大的SSL支持,使得Web服务器的安全性能更进一步。本文将介绍如何配置Nginx以支持SSL协议,并保护Web服务器的安全性能。什么是SSL协议?SSL(SecureSocke

如何使用Nginx代理服务器实现Web服务的动态SSL证书生成?如何使用Nginx代理服务器实现Web服务的动态SSL证书生成?Sep 05, 2023 pm 02:24 PM

如何使用Nginx代理服务器实现Web服务的动态SSL证书生成?Nginx是一款高性能的开源Web服务器,可以用于代理服务器、反向代理和负载均衡等多种用途。它的灵活性使得我们可以利用其强大的功能实现动态SSL证书生成,以提供更安全、更灵活的Web服务。本文将详细介绍如何利用Nginx代理服务器实现动态SSL证书生成。首先,我们需要生成一个自签名的根证书和私钥

Windows环境下Nginx服务器SSL证书怎么安装部署Windows环境下Nginx服务器SSL证书怎么安装部署May 15, 2023 am 09:37 AM

Nginx类型的服务器证书压缩包证书压缩文件夹内容如下(这里使用baidu.com的域名作为示例):baidu.com_bundle.crt证书文件baidu.com_bundle.pem证书文件(可忽略该文件)baidu.com.key私钥文件baidu.com.csrCSR文件拷贝证书文件和私钥文件将已获取到的baidu.com_bundle.crt证书文件和baidu.com.key私钥文件从本地目录拷贝到Nginx根目录下的conf目录修改nginx.conf配置编辑Nginx根目录下的

修复:Windows PC 上 Chrome 中的 ERR_CERT_WEAK_SIGNATURE_ALGORITHM 错误修复:Windows PC 上 Chrome 中的 ERR_CERT_WEAK_SIGNATURE_ALGORITHM 错误Apr 18, 2023 am 09:41 AM

许多Windows用户最近开始抱怨一个问题,即他们在浏览chrome浏览器发现不安全的网页时收到错误消息并抛出错误消息YourconnectionisnotprivatewithaerrorcodeNET::ERR_CERT_WEAK_SIGNATURE_ALGORITHMonWindows11系统。现在Windows用户不确定是什么原因导致了这个问题,以及他们如何解决这个问题以便轻松浏览网页。下面提到了可能导致此错误消息的一些原因。SSL证书缓存问题损坏的浏览数据

Nginx如何配置ssl证书Nginx如何配置ssl证书May 16, 2023 pm 04:25 PM

如果有防火墙的话,记得开通443端口准备材料:1.申请ssl证书,这个如何申请可以到百度搜一下,因为域名服务商不同,这里不做过多赘述;2.服务器上已安装nginx,并可以正常访问。开始配置:1.进入到nginx目录,查看有没有http_ssl_module模块./nginx-V2.如果没有,找到源码,输入以下命令进行安装(如果有,跳转到第6步)#prefix后面的路径是你安装nginx的路径./configure--prefix=/usr/local/nginx--with-http_ssl_m

See all articles

Hot AI Tools

Undresser.AI Undress

Undresser.AI Undress

AI-powered app for creating realistic nude photos

AI Clothes Remover

AI Clothes Remover

Online AI tool for removing clothes from photos.

Undress AI Tool

Undress AI Tool

Undress images for free

Clothoff.io

Clothoff.io

AI clothes remover

AI Hentai Generator

AI Hentai Generator

Generate AI Hentai for free.

Hot Article

R.E.P.O. Energy Crystals Explained and What They Do (Yellow Crystal)
2 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Repo: How To Revive Teammates
4 weeks agoBy尊渡假赌尊渡假赌尊渡假赌
Hello Kitty Island Adventure: How To Get Giant Seeds
3 weeks agoBy尊渡假赌尊渡假赌尊渡假赌

Hot Tools

SublimeText3 Mac version

SublimeText3 Mac version

God-level code editing software (SublimeText3)

SublimeText3 Linux new version

SublimeText3 Linux new version

SublimeText3 Linux latest version

SecLists

SecLists

SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

WebStorm Mac version

WebStorm Mac version

Useful JavaScript development tools

SublimeText3 English version

SublimeText3 English version

Recommended: Win version, supports code prompts!