Startssl免费SSL证书+Nginx搭建https

作者:Chris

看到好多小伙伴们都使用了HTTPS
所以为了更好的提高国内用户的访问体验(装13。。)在下也试试看

#必备条件

你要有个域名!!!
你要有台server!
你要有备案号!!!
你要有备案号!!!
你要有备案号!!!

以上ok!那么下面我们就开搞!!

#注册StartSSL账号

需要注意注册成功之后需要保存登陆证书并双击导入到系统;
然后登陆选择Authenticate进行登陆,需使用IE或者Microsoft Edge浏览器,由于会弹出证书允许提示,所以chrome无法加载证书

#申请免费StartSSL证书

登陆后进入 Validations Wizard,验证你要添加 ssl 支持的域名



按照提示添加OK!

进入 Certificates Wizard,并选择 Web Servers SSL/TLS Certificates


这里需要注意可以使用官方提供的StartComTool.exe生成CSR
也可以使用openssl命令生成CSR

[root@3-225 ~]# openssl req -newkey rsa:2048 -keyout linux48.key -out linux48.csr                 
Generating a 2048 bit RSA private key
......................+++
........................................................+++
writing new private key to 'linux48.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:linux48.com
Organizational Unit Name (eg, section) []:linux48.com
Common Name (eg, your name or your server's hostname) []:*.linux48.com
Email Address []:admin@linux48.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@3-225 ~]#cat linux48.csr  ##复制粘贴到Certificate Signing Request (CSR):

点击here下载证书

#SSL证书的上传和nginx配置

把此crt文件重命名linux48.crt

还有刚才openssl命令生成的key

以上两个文件上传到web服务器;并重启nginx

需要注意的是启动nginx会提示输入PEM的密码,就是之前openssl生成的时候指定的密码

[root@iZ62phtamqlZ vhost]# /usr/local/nginx/sbin/nginx
Enter PEM pass phrase:
[root@iZ62phtamqlZ vhost]# 

以下为nginx配置

[root@iZ62phtamqlZ vhost]# cat linux48.com.conf 
log_format  linux48.com  '$remote_addr - $remote_user [$time_local] "$request" '
             '$status $body_bytes_sent "$http_referer" '
             '"$http_user_agent" $http_x_forwarded_for';


server
        {
                listen       443;
                server_name linux48.com www.linux48.com;
                index index.html index.htm index.php default.html default.htm default.php;
                root  /home/wwwroot/linux48.com/public;


    ssl                  on;
    ssl_certificate      /home/wwwroot/linux48.crt;
    ssl_certificate_key  /home/wwwroot/linux48.key;
    ssl_session_timeout  5m;
    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

                location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
                        {
                                expires      30d;
                        }

                location ~ .*\.(js|css)?$
                        {
                                expires      12h;
                        }

                access_log  /home/wwwlogs/access.log  linux48.com;
                error_page 404 = /404.html;

        }



server
        {
                listen       80;
                server_name linux48.com www.linux48.com;
                rewrite ^(.*) https://linux48.com$1 permanent;
        }
[root@iZ62phtamqlZ vhost]# 

请注意: 免费SSL证书仅适合于个人网站或非电子商务网站,不显示单位名称,仅起到加密传输信息的作用,并不能证明网站的真实身份。

您的评论

Build by Loppo 0.6.14