Detailed explanation of Nginx configuration SSL (HTTPS)

As Internet security becomes increasingly important, the HTTPS protocol has gradually become the standard for encrypted communication on websites. As a high-performance HTTP and reverse proxy server, Nginx naturally supports SSL/TLS encrypted communication. This article will detail how to configure SSL in Nginx to achieve HTTPS access.

1. Prepare SSL Certificate

First, we need to prepare an SSL certificate. You can choose to purchase a commercial certificate from a certificate authority (CA) or generate a self-signed certificate yourself. Although self-signed certificates are free, they will not be trusted by browsers and are only suitable for testing environments.

If you choose to purchase a commercial certificate, you will usually receive the following documents:

• Certificate file (for example: example.com.crt)
• Private key file (for example: example.com.key)
• Intermediate certificate files (if any)

2. Install SSL module

Nginx supports SSL module by default, so usually no additional installation is required. But to ensure that SSL function is available, you can check whether --with-http_ssl_module is included in Nginx's compilation parameters.

3. Configure Nginx SSL

(1) Open the Nginx configuration file, usually located at /etc/nginx/nginx.conf or /etc/nginx/conf.d/default.conf.

(2) In the http block, configure SSL related parameters. The following is an example:

 http { ... server { listen 443 ssl; server_name example.com; ssl_certificate /path/to/example.com.crt; # 证书文件路径ssl_certificate_key /path/to/example.com.key; # 私钥文件路径# 如果有中间证书，也需要配置ssl_trusted_certificate /path/to/intermediate.crt; # 其他SSL配置参数ssl_protocols TLSv1.2 TLSv1.3; # 支持的协议版本ssl_ciphers HIGH:!aNULL:!MD5; # 加密套件ssl_prefer_server_ciphers on; # 优先使用服务器端的加密套件# 其他server配置... } ... }

(3) Save and close the configuration file.

(4) Check whether the syntax of the Nginx configuration file is correct:

 nginx -t

(5) If the syntax is correct, reload or restart Nginx to make the configuration take effect:

 nginx -s reload # 重新加载配置# 或systemctl restart nginx # 重启Nginx服务

4. Test HTTPS access

Now, your Nginx server has been configured with SSL and can be accessed through the HTTPS protocol. Enter https://example.com in your browser and check whether it can be successfully accessed and the secure connection logo (such as a green lock) is displayed.

Additionally, you can use command-line tools such as openssl or curl to test the validity of the HTTPS connection and certificate.

5. Optimization and security considerations

• Enable HSTS (HTTP Strict Transport Security): Force browsers to access websites only via HTTPS by adding the Strict-Transport-Security field in the response header.
• Enable OCSP Stapling: Check the validity of the certificate through the Online Certificate Status Protocol (OCSP) to improve the efficiency of certificate verification.
• Use stronger encryption algorithms and protocols: According to security requirements, you can adjust parameters such as ssl_ciphers and ssl_protocols to use stronger encryption algorithms and protocol versions.
• Regularly update and replace certificates: Commercial certificates usually have a limited validity period and need to be updated regularly. At the same time, in order to enhance security, certificates can also be replaced regularly.

Through the above steps, you can successfully configure SSL in Nginx and implement HTTPS access. Remember to pay attention to security considerations during the configuration process and make corresponding optimizations according to actual needs.