https 需要购买域名ssl证书
注意事项:
1.要开启HTTP/2协议支持,需要在nginx 1.10以上版本并且需要openssl库的版本在1.0.2及以上编译。
2.http2.0只支持开启了https的网站。
openssl version 可以查看openssl版本
nginx -v 可以查看nginx版本
mysql -v 可以查看mysql版本
php -v 可以查看php版本
以下命令可以查看linux版本
uname -a;
more /etc/issue;
cat /proc/version;
开始:
这里我的证书是使用阿里云提供的免费证书
1.下载证书
2.安装证书
文件说明:
1. 证书文件1533488566332.pem,包含两段内容,请不要删除任何一段内容。
2. 如果是证书系统创建的CSR,还包含:证书私钥文件1533488566332.key。
( 1 ) 在Nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的CSR文件,请将对应的私钥文件放到cert目录下并且命名为1533488566332.key;
( 2 ) 打开 Nginx 安装目录下 conf 目录中的 nginx.conf 文件,找到:
# HTTPS server# #server {# listen 443;# server_name localhost;# ssl on;# ssl_certificate cert.pem;# ssl_certificate_key cert.key;# ssl_session_timeout 5m;# ssl_protocols SSLv2 SSLv3 TLSv1;# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;# ssl_prefer_server_ciphers on;# location / {###}#}
( 3 ) 将其修改为 (以下属性中ssl开头的属性与证书配置有直接关系,其它属性请结合自己的实际情况复制或调整) :
server { listen 443; server_name localhost; ssl on; root html; index index.html index.htm; ssl_certificate cert/1533488566332.pem; ssl_certificate_key cert/1533488566332.key; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; }}
保存退出。
( 4 )重启 Nginx。
( 5 ) 通过 https 方式访问您的站点,测试站点证书的安装配置。
问题:但是安装后 执行 systemctl start nginx 报错 the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf
原来是nginx安装时候没有加载 ssl模块 和 http2模块
1)切换到nginx源码包
cd /usr/local/src/nginx-1.11.3
2)查看ngixn原有的模块
/usr/local/nginx/sbin/nginx -V
显示 --prefix=/usr/local/nginx 需要后面加上需要的模块--with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
--with-http_v2_module 是支持http2 的模块 支持http2需要满足
3)重新配置
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
4)重新编译,不需要make install安装。否则会覆盖
make
5)备份原有已经安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止)
cp ./objs/nginx /usr/local/nginx/sbin/
这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
7)启动nginx,查看nginx模块,发现已经添加
/usr/local/nginx/sbin/nginx -V
最后附上完整的ngixn配置:
user nginx nginx;worker_processes 1;#error_log logs/error.log;#error_log logs/error.log notice;#error_log logs/error.log info;#pid logs/nginx.pid;events { worker_connections 1024;}http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; gzip on; gzip_min_length 1k; gzip_buffers 4 16k; gzip_http_version 1.0; gzip_comp_level 8; gzip_vary on; gzip_types text/plain application/x-javascript text/css text/json application/xml text/javascript application/javascript; gzip_disable "MSIE"; server_tokens off; # sendfile on; #tcp_nopush on; #keepalive_timeout 0;# keepalive_timeout 65; #gzip on; server { listen 80; server_name localhost; root /data; #charset koi8-r; #access_log logs/host.access.log main; location / { root /data; index index.php index.html index.htm; } #error_page 404 /404.html; # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /data; } # proxy the PHP scripts to Apache listening on 127.0.0.1:80 # #location ~ \.php$ { # proxy_pass http://127.0.0.1; #} # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 # location ~ \.php$ { root /data; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } # deny access to .htaccess files, if Apache's document root # concurs with nginx's one # #location ~ /\.ht { # deny all; #} }server { listen 80; server_name www.fibst.cn; return 301 https://$server_name$request_uri;} server{ #listen 80; listen 443 ssl http2; server_name www.fibst.cn; ssl on; ssl_certificate cert/www.fibst.cn.pem; ssl_certificate_key cert/www.fibst.cn.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; root /data/suxiaoying/; index index.html index.htm index.php; location ~ ^(.*)\/\.svn\/ { return 404; } location / { try_files $uri $uri/ /index.php$is_args$args; } location ~ \.php$ { fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } }}