One-way SSL configuration example:
server{ listen 443 ssl; server_name www.123.com; root /data/wwwroot/www.123.com/ ; index index.html ; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; location / { } }
Configuration instructions:
1. 443端口为ssl监听端口。 2. ssl on表示打开ssl支持。 3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。 4. ssl_certificate_key指定key文件所在路径。 5. ssl_protocols指定SSL协议。 6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。 7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。
Note:
nginx is not enabled by default during source code installation The ssl module needs to be recompiled and installed. The installation command is as follows:
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make && make install
Then restart nginx
Dual-line SSL configuration example
server{ listen 443 ssl; server_name www.123.com; root /data/wwwroot/www.123.com/ ; index index.html ; ssl_certificate server.crt; ssl_certificate_key server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL; ssl_prefer_server_ciphers on; ssl_client_certificate ca.crt; //这里的ca.crt是根证书公钥文件 ssl_verify_client on; location / { } }
Instructions:
There are two more lines in bold than one-way, but after two-way is configured, the server will also authenticate the client's certificate. Under normal circumstances, our one-way SSL is more commonly used.
Note:
Because our certificate is a certificate issued by a self-built CA, the browser does not trust the certificate, so when accessing, it will prompt "The certificate is not valid" Trusted”.
In this case, you only need to import the CA's root certificate into the "Trusted Root Certification Authority" in the browser and you will no longer be prompted with "The certificate is not trusted".
The method of exporting the certificate available for windows is as follows:
[root@localhost root_ca]# openssl pkcs12 -export -inkey private/ca.key -in
Copy the exported certificate to windows, double-click to install, and follow the wizard to import it to the "Trusted Root Certification Authority".
The above is the detailed content of How to configure ssl in nginx. For more information, please follow other related articles on the PHP Chinese website!

如何使用 Barrier 在 Mac / PC 之间共享键盘和鼠标您需要确保要与其共享鼠标和键盘的计算机都在同一个网络上,并且在初始设置期间您将在不同的 Mac 之间来回切换。在此处获取最新版本的 Barrier(适用于 Mac 的 DMG,适用于 Windows 的 exe)– 将其下载到您希望能够使用键盘和鼠标的每台计算机上将 Barrier 从 DMG(或使用 exe 安装到 Windows)复制到您打算使用它的每台 Mac 上的 /Applications 文件夹,然后右键单击 Barr

Java8-291之后,禁用了TLS1.1,使JDBC无法用SSL连接SqlServer2008怎么办,以下是解决办法修改java.security文件1.找到jre的java.security文件如果是jre,在{JAVA_HOME}/jre/lib/security中,比如????C:\ProgramFiles\Java\jre1.8.0_301\lib\security如果是Eclipse绿色免安装便携版在安装文件夹搜索java.security,比如????xxx\plugins\org

MySQL:SSL连接简介及设置步骤摘要:MySQL提供了SSL(SecureSocketsLayer)连接来加密在客户端和服务器之间传输的数据。本文将介绍SSL连接的概念和作用,并提供在MySQL中设置SSL连接的步骤以及相关的代码示例。导语:随着网络和数据传输的不断扩大,数据安全性变得越来越重要。通过使用SSL连接,我们可以加

Nginx是一个高性能的Web服务器软件,同时也是一款强大的反向代理服务器和负载均衡器。随着互联网的迅速发展,越来越多的网站开始采用SSL协议保护敏感用户数据,而Nginx也提供了强大的SSL支持,使得Web服务器的安全性能更进一步。本文将介绍如何配置Nginx以支持SSL协议,并保护Web服务器的安全性能。什么是SSL协议?SSL(SecureSocke

如何使用Nginx代理服务器实现Web服务的动态SSL证书生成?Nginx是一款高性能的开源Web服务器,可以用于代理服务器、反向代理和负载均衡等多种用途。它的灵活性使得我们可以利用其强大的功能实现动态SSL证书生成,以提供更安全、更灵活的Web服务。本文将详细介绍如何利用Nginx代理服务器实现动态SSL证书生成。首先,我们需要生成一个自签名的根证书和私钥

Nginx类型的服务器证书压缩包证书压缩文件夹内容如下(这里使用baidu.com的域名作为示例):baidu.com_bundle.crt证书文件baidu.com_bundle.pem证书文件(可忽略该文件)baidu.com.key私钥文件baidu.com.csrCSR文件拷贝证书文件和私钥文件将已获取到的baidu.com_bundle.crt证书文件和baidu.com.key私钥文件从本地目录拷贝到Nginx根目录下的conf目录修改nginx.conf配置编辑Nginx根目录下的

许多Windows用户最近开始抱怨一个问题,即他们在浏览chrome浏览器发现不安全的网页时收到错误消息并抛出错误消息YourconnectionisnotprivatewithaerrorcodeNET::ERR_CERT_WEAK_SIGNATURE_ALGORITHMonWindows11系统。现在Windows用户不确定是什么原因导致了这个问题,以及他们如何解决这个问题以便轻松浏览网页。下面提到了可能导致此错误消息的一些原因。SSL证书缓存问题损坏的浏览数据

如果有防火墙的话,记得开通443端口准备材料:1.申请ssl证书,这个如何申请可以到百度搜一下,因为域名服务商不同,这里不做过多赘述;2.服务器上已安装nginx,并可以正常访问。开始配置:1.进入到nginx目录,查看有没有http_ssl_module模块./nginx-V2.如果没有,找到源码,输入以下命令进行安装(如果有,跳转到第6步)#prefix后面的路径是你安装nginx的路径./configure--prefix=/usr/local/nginx--with-http_ssl_m


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

SublimeText3 Mac version
God-level code editing software (SublimeText3)

SublimeText3 Linux new version
SublimeText3 Linux latest version

SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.

WebStorm Mac version
Useful JavaScript development tools

SublimeText3 English version
Recommended: Win version, supports code prompts!
