How to configure nginx to use ssl module to support HTTPS access

Background:

WeChat applet is used in project development, but the server configuration URL must be https, so the ssl module of nginx needs to be configured to support https access, that is to say To make a website with a domain name of dmsdbj.com, it is required to access it through https://dmsdbj.com.

ssl is called secure socket layer in English. SSL is a digital certificate that uses the SSL protocol to establish a secure channel between the browser and the web server. Data information is securely transmitted between the client and the server.

Prerequisite:

1. To configure the SSL module, you first need a CA certificate. The CA certificate can be issued manually or applied for on Alibaba Cloud. I applied for the certificate on Alibaba Cloud. (For manual issuance, please refer to the link at the bottom of the article)

2. The ssl module is not installed by default. If you want to use this module, you need to specify the –with-http_ssl_module parameter when compiling nginx.

Alibaba Cloud purchase ca certificate

Operation steps:

1. Download the ca certificate

1. Log in to Alibaba Cloud, Select "Console" - "Products and Services", and select "ca Certificate Service (Data Security)" in the "Security (Cloud Shield)" column.

2. Click "Download" on the purchased certificate, and select "nginx/tengine" on the newly opened page. Click "Download certificate for nginx".

2. Install the certificate in the nginx configuration file

File description: 1. The certificate file "certificate name.pem'' contains two sections of content. Please do not delete any content. 2. If it is a csr created by the certificate system, it also contains: the certificate private key file "certificate name.key". (1) In Create a cert folder in the directory where the nginx configuration file is located, and copy all the downloaded files to the cert directory. If you create a csr file yourself when applying for a certificate, please put the corresponding private key file in the cert directory and name it is "certificate name.key";

(2) Open the nginx.conf file in the conf directory under the nginx installation directory, find:

# https server
# #server {
# listen 443;
# server_name localhost;
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols sslv2 sslv3 tlsv1;
# ssl_ciphers all:!adh:!export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;
# ssl_prefer_server_ciphers on;
# location / {
#
#
#}
#}

(3) Modify it to (the following attributes The attributes starting with ssl are directly related to the certificate configuration. Please copy or adjust other attributes based on your actual situation):

server {
  listen 443;
  server_name localhost;
  ssl on;
  root html;
  index index.html index.htm;
  ssl_certificate  cert/证书名称.pem;
  ssl_certificate_key cert/证书名称.key;
  ssl_session_timeout 5m;
  ssl_ciphers ecdhe-rsa-aes128-gcm-sha256:ecdhe:ecdh:aes:high:!null:!anull:!md5:!adh:!rc4;
  ssl_protocols tlsv1 tlsv1.1 tlsv1.2;
  ssl_prefer_server_ciphers on;
  location / {
    root html;
    index index.html index.htm;
  }
}

Save and exit.

(4) Restart nginx.

nginx -s reload

(5) Access your site through https and test the installation and configuration of the site certificate. Enter https://dmsdbj.com in the browser, as shown in the figure below, indicating that the configuration is successful.

Problems encountered during the installation process

Error 1:

nginx: [emerg ] unknown directive "ssl" in /usr/local/nginx/conf/nginx.conf:151

Solution:

This error may be caused by two situations ：

Case one: The configuration file format is incorrect.

Solution reference link:

Case two: The ssl module is not installed

Default situation The ssl module is not installed. If you want to use this module, you need to specify the --with-http_ssl_module parameter when compiling nginx. This situation will also cause error 2.

Solution:

nginx lacks the http_ssl_module module. When compiling and installing, just bring the --with-http_ssl_module configuration. But the current situation is that my nginx has already been installed. How to add the module is actually very simple. Read on: Note: My nginx installation directory is the /usr/local/nginx directory, and my source code package is in the /usr/local/src/nginx-1.3.6 directory

(1) Switch to the source code package:

cd /root/nginx-1.13.6

(2) Configuration information:

./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module

(3) After the configuration is completed, run make to compile. Do not perform make install, otherwise it will overwrite the installation.

mark

(4) Then back up the original installed nginx

cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak

(5) Stop nginx, just use the normal command nginx -s stop

nginx -s stop

If you turn it off If not, just kill the process directly. ps aux | grep process name to view the pid number occupied by the process.

ps aux|grep nginx

Just kill the detected pid. The kill -9 pid command is used to terminate the process. You must first kill the pid corresponding to root before you can proceed with the following three nobody pids.

kill -9 10922
kill -9 28276
kill -9 28277
kill -9 28278

(6) Overwrite the original nginx with the just compiled nginx

cp ./objs/nginx /usr/local/nginx/sbin/

(7) Start nginx

nginx

(8) Use the following command to check whether Already joined successfully.

nginx -v

Error two:

nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf:148

Solution:

For the solution to this situation, please refer to the solution to the second situation of error 1.

Error three:

stoping nginx... nginx: [emerg] bio_new_file("/usr/local/nginx/conf/cert/214291778530222. pem") failed (ssl: error:02001002:system library:fopen:no such file or directory:fopen('/usr/local/nginx/conf/cert/214291778530222.pem','r') error:2006d080:bio routines:bio_new_file:no such file) failed. use force-quit

Solution:

This may be because the certificate path is not stored in the correct location It is caused correctly, and as long as the absolute path is written, an error will be reported, regardless of Windows or Linux.

Put the certificate file in the directory where nginx.conf is located.

The above is the detailed content of How to configure nginx to use ssl module to support HTTPS access. For more information, please follow other related articles on the PHP Chinese website!