NGINX configures SSL support
This article was last updated on: July 24, 2024 am
preface
atArticle - Tencent Cloud applies for a free SSL certificate, we have applied for an SSL certificate. So now, let’s configure site-wide SSL! 💪💪💪
This time the work is mainly NGINX configuration, but there will be some configuration of my blog itself.
Configuration changes to the blog itself include: (I won’t go into detail in this article)
- All links in the web page are changed from http to https (in fact, configure SITEURL, the tool will automatically generate it) and republish. (In particular, if there are on-site CSS, js, etc. that are embarrassing without HTTPS, they will be blocked by various browsers and prompt “insecure scripts”)
- For useful third-party tools (such as dial-up), change the address of the website to something that starts with https.
NGINX configuration
First, create and upload the prepared certificate file to the specified directory: (CRT and key files)
1 |
|
Carry out the SSL configuration of nginx.conf, this time mainly involves the configuration change of the server block, as follows: (See the note for the specific role of the directive)
1 |
|
📓 Description:
Some of the above instructions, I will first introduce them in general, and there will be articles in detail later.
return 301 https://$host$request_uri;
All HTTP permanently redirects to the URL corresponding to https/usr/share/nginx/html
Where static blogs are storedssl_session_timeout 1d;
The SSL session timeout period is 1 dayssl_session_tickets off; #
SSL Session Ticket mechanism, some versions have bugs, open according to the situation.ssl_prefer_server_ciphers on;
Prefer to use server-side ciphers- HSTS function: Add an HTTP header, tell the browser to go directly to https, ❗ This function is risky, choose carefully. (For example, if your certificate expires and forgets to renew, then users can’t switch to HTTP if they want to)
ssl_stapling on;
Enable the SSL OCSP stapling function to actively query OCSP results on the server and improve the efficiency of TLS handshake/etc/nginx/default.d/*.conf;
My bloglocation
disposition
📓 Tips:
The foundation behind Firefox, open sourced a very useful tool: ssl-config-generator
On top of this, you can automatically generate the recommended SSL configuration with a single click.
To mention, as shown in the image above, the second column must be carefully selected based on the version usage of your customer’s browser or client.
For example, if you are still using Windows XP, IE6, Java 6, then you can only choose Old.
Next, it is necessary to restart nginx to take effect.
1 |
|
After restarting, tests found that CSS JS did not take effect. 😱😱😱
Because nginx has just configured caching before. At that time, the brain did not turn, did not realize at the first time that it may be a problem with the browser cache. Just nginx stop and start again. As a result, the usability of my website dropped from 100% to 99.81%.
Later, I finally realized that it might be a problem with the browser cache, cleaned the cache, and then started, and finally the page displayed normally, and the icon changed from “unsafe” to a small lock.
http://www.e-whisper.com test access, it will also be forced to go to the https://www.e-whisper.com. Perfect!
My SSL rating
Let’s introduce a good stuff - SSL Labs. It is possible to give your website an SSL security rating.
Click on the link, enter the website address, and the result is out - A+ Hahahahaha!!!
Finally attached mineFull report