Turn: cloud.tencent.com/document/pr…

Operating scenarios

This document describes how to install an SSL certificate on the Nginx server.

Description:

  • This document is named after a certificatecloud.tencent.comAs an example.
  • Nginx version toNginx / 1.18.0As an example.
  • The current server runs the CentOS 7 operating system. Detailed operations may vary depending on the operating system version.
  • Before installing the SSL certificate, enable port 443 on the Nginx server. Otherwise, HTTPS cannot be enabled after the certificate is installed. For details, see How Do I Enable Port 443?
  • For details about how to upload the SSL certificate file to the server, see How to Copy a Local File to the Cloud Server.

The premise condition

  • You have obtained remote file copy software, such as WinSCP. You are advised to obtain the latest version from the official website.

  • A remote login tool, such as PuTTY or Xshell, is available. You are advised to obtain the latest version from the official website.

  • The Nginx service has been installed and configured on the current server.

  • Before installing an SSL certificate, obtain the following data:

    The name of the

    instructions

    IP address of the server

    Server IP address, which is used to connect the PC to the server.

    The user name

    User name for logging in to the server.

    password

    Password for logging in to the server.

Description:

You can log in to the cloud server console to obtain the IP address, user name, and password of the cloud server purchased on the official website of Tencent Cloud.

steps

Certificate of installation

  1. You have downloaded the Cloud.tencent.com certificate package from the SSL certificate management console and decompressed it to a local directory. After decompressing the file, you can obtain the certificate file of the related type. This includes the Nginx folder and the CSR file:

    • Folder name: Nginx

    • Folder contents:

      • 1_cloud.tencent.com_bundle.crtThe certificate file
      • 2_cloud.tencent.com.keyThe private key file

    • CSR file content: cloud.tencent.com.csr file

      Description:

      The CSR file is uploaded by you or generated online by the system when you apply for a certificate and provided to the CA. You can ignore this file during installation.

  2. Use WinSCP to log in to the Nginx server.

  3. Copy the 1_cloud.tencent.com_bundle. CRT certificate file and the 2_cloud.tencent.com.key private key file from the local directory to the /usr/local/nginx/conf directory on the Nginx server The default installation directory of Nginx. Perform operations as required.

  4. Remotely log in to the Nginx server. For example, use PuTTY to log in.

  5. Edit the conf/nginx.conf file in the root directory of Nginx. The modification is as follows:

    Description:

    • This operation can be performed by executingvim /usr/local/nginx/conf/nginx.confCommand line edit the file.
    • Configuration files may be written differently due to version issues. For example, the Nginx version isNginx / 1.15.0Please uselisten 443 sslInstead oflisten 443ssl on.
    Server {#SSL access port 443 listen 443 SSL; Enter the domain name server_name cloud.tencent.com; Ssl_certificate 1_cloud.tencent.com_bundle.crt; Private key file name ssl_certificate_key 2_cloud.tencent.com.key; ssl_session_timeout 5m; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2 Please configure the encryption suite as follows and write in accordance with the OpenSSL standard. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:! aNULL:! MD5:! RC4:! DHE; ssl_prefer_server_ciphers on; Location / {# site home page path. This directory is for reference only. For details, see the actual directory. root html; index index.html index.htm; }}Copy the code

  6. In the Nginx root directory, run the following command to verify the configuration file problem.

    ./sbin/nginx -t
Copy the code
    • If yes, reconfigure the IP address or modify the IP address as prompted.
    • If no, go to Step 7.

  7. Restart the Nginx, can use https://cloud.tencent.com for a visit.

HTTP Automatic redirect (Optional) HTTPS security Configuration

If you need to redirect HTTP requests to HTTPS automatically. You can perform the following operations to set the parameters:

  1. Select the following configuration mode as required:

    • Add a JS script to the page.

    • Add weighted orientation to the back – end program.

    • The Web server is used to perform the jump.

    • Nginx supports the rewrite function. If you did not remove pcRE at compile time, you can add return 301 https://$host$request_uri to the HTTP server; , redirect the requests for the default port 80 to HTTPS. Modify the following contents:

      Description:

      • For configuration statements that are not commented, perform the following configuration.
      • Configuration files may be written differently due to version issues. For example, the Nginx version isNginx / 1.15.0Please uselisten 443 sslInstead oflisten 443ssl on.
      server { listen 443 ssl; Enter the domain name server_name cloud.tencent.com; Ssl_certificate 1_cloud.tencent.com_bundle.crt; Private key file name ssl_certificate_key 2_cloud.tencent.com.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:! NULL:! aNULL:! MD5:! ADH:! RC4; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; Location / {# site home page path. This directory is for reference only. For details, see the actual directory. root html; index index.html index.htm; } } server { listen 80; Enter the domain name server_name cloud.tencent.com; # Convert HTTP request to HTTPS return 301 https://$host$request_uri; }Copy the code
  2. If the modification is complete, restart Nginx. You can usehttp://cloud.tencent.comConduct interviews.