成功配置SSL證書后，您將能夠通過HTTPS加密通道安全訪問Nginx服務(wù)器。

一、準備材料

SSL證書綁定的域名已完成DNS解析，即您的域名與主機IP地址相互映射。您可以通過DNS驗證證書工具，檢測域名DNS解析是否生效。具體操作：
【1】登錄數(shù)字證書管理服務(wù)控制臺。
【2】在左側(cè)導(dǎo)航欄，選擇證書工具 > DNS驗證。
【3】在DNS頁簽，選擇您域名所在的運營商和地域，并輸入您的網(wǎng)站域名，單擊立即檢測。DNS檢測結(jié)果列表中的解析結(jié)果與您在解析配置中的記錄值一致時，代表解析正常生效。

已通過數(shù)字證書管理服務(wù)控制臺簽發(fā)證書。

已在Web服務(wù)器開放443端口（HTTPS通信的標準端口）： 如果您使用的是阿里云ECS服務(wù)器，請確保已經(jīng)在安全組規(guī)則入方向添加TCP 443端口和TCP 80端口。

二、下載SSL證書

【1】登錄數(shù)字證書管理服務(wù)控制臺
【2】在左側(cè)導(dǎo)航欄，單擊SSL證書。
【3】在SSL證書頁面，定位到目標證書，在操作列，單擊下載。
【4】在服務(wù)器類型為Nginx的操作列，單擊下載。

【5】解壓縮已下載的SSL證書壓縮包：根據(jù)您在提交證書申請時選擇的CSR生成方式，解壓縮獲得的文件不同。證書文件（PEM格式）： Nginx支持安裝PEM格式的文件，PEM格式的證書文件是采用Base64編碼的文本文件，且包含完整證書鏈。解壓后，該文件以證書ID_證書綁定域名命名。私鑰文件（KEY格式）： 默認以證書綁定域名命名。

三、安裝Nginx

已安裝的可以忽略該步驟

直接在Linux服務(wù)上使用wget命令把Nginx安裝包下載到/usr/local/目錄中

wget -c http://nginx.org/download/nginx-1.24.0.tar.gz

安裝Nginx相關(guān)依賴

#安裝nginx所需要的依賴包
yum install -y gcc-c++	zlib zlib-devel	openssl openssl-devel pcre pcre-devel

安裝Nginx：解壓Nginx安裝包

#解壓安裝包
tar -zxvf nginx-1.24.0.tar.gz

進入解壓之后的Nginx目錄下：

#進入nginx目錄
cd /usr/local/nginx

執(zhí)行配置腳本，--prefix是指定安裝目錄

# 編譯，執(zhí)行配置: 考慮到后續(xù)安裝ssl證書 添加兩個模塊
./configure --with-http_stub_status_module --with-http_ssl_module

編譯安裝

#對nginx編譯和安裝
make & make install

啟動Nginx服務(wù)：安裝好的Nginx服務(wù)在/usr/local/nginx下：

[root@xxx sbin]# pwd
/usr/local/nginx/sbin# 啟動
./nginx# 重啟
./nginx -s reload# 關(guān)閉
./nginx -s stop# 或者，指定配置文件啟動
./nginx -c /usr/local/nginx/conf/nginx.conf

查看Nginx是否啟動成功

[root@xxx sbin]# ps -ef | grep nginx
root      1399  1320  0 Jan27 ?        00:00:00 nginx: master process nginx -g daemon off;
root      1574  1399  0 Jan27 ?        00:00:00 nginx: worker process
root      1575  1399  0 Jan27 ?        00:00:00 nginx: worker process
root     20336     1  0 21:21 ?        00:00:00 nginx: master process ./nginx
nobody   20337 20336  0 21:21 ?        00:00:00 nginx: worker process
root     20366 13337  0 21:21 pts/3    00:00:00 grep --color=auto nginx

設(shè)置nginx的開機啟動

vim /etc/rc.local
文本底部追加
/usr/local/nginx/sbin/nginx

編輯安裝目錄conf下的nginx.conf文件：

server {listen       80;server_name  yourdomain.com; # 修改為你自己的域名或IP地址location / {root   /path/to/your/vuepress/site; # 修改為你的VuePress站點路徑，也就是vue npm run build 打包后放置靜態(tài)文件dist的路徑index  index.html index.htm;try_files $uri $uri/ /index.html;}
}

三、在Nginx服務(wù)器安裝證書

【1】執(zhí)行以下命令，在Nginx的conf目錄下創(chuàng)建一個cert用于存放證書的目錄。

[root@iZuf65h6i43ltlzhqolumyZ conf]# cd /usr/local/nginx/conf  --進入Nginx默認配置文件目錄。該目錄為手動編譯安裝Nginx時的默認目錄，如果您修改過默認安裝目錄或使用其他方式安裝，請根據(jù)實際配置調(diào)整。
[root@iZuf65h6i43ltlzhqolumyZ conf]# cd cert/
[root@iZuf65h6i43ltlzhqolumyZ cert]# ll
total 12
-rw-r--r-- 1 root root 1679 Feb  8 18:29 it-blog-cn.com.key
-rw-r--r-- 1 root root 4772 Feb  8 18:29 it-blog-cn.com.pem

.pem：證書文件。PEM文件的擴展名為CRT格式。
.key：證書的密鑰文件。申請證書時如果未選擇自動創(chuàng)建CRS，則下載的證書文件壓縮包中不會包含.key文件，需要您將自己手動常見的私鑰文件拷貝到cert目錄下。

【2】更改nginx.conf設(shè)置vim nginx.conf找到server塊，將HTTPS server部分注釋去掉【從需要刪除的部分開始安裝ctrl+v，然后ctrl+d刪除】并修改：

    # HTTPS server# 將 it-blog-cn.com 修改為自己的域名server {listen       443 ssl;server_name  it-blog-cn.com;ssl_certificate      /usr/local/nginx/conf/cert/it-blog-cn.com.pem;ssl_certificate_key  /usr/local/nginx/conf/cert/it-blog-cn.com.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}}

【3】通過nginx -t校驗nginx文件語法。如果提示找不到證書文件，說明文件路徑配置的不正確。

[root@iZuf65h6i43ltlzhqolumyZ conf]# ../sbin/nginx -t
nginx: [emerg] cannot load certificate "/usr/local/nginx/conf/it-blog-cn.com.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/usr/local/nginx/conf/it-blog-cn.com.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

如果提示success，表示校驗成功

[root@iZuf65h6i43ltlzhqolumyZ conf]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

【4】通過nginx -s reload重啟nginx
【5】檢查443端口

[root@iZuf65h6i43ltlzhqolumyZ conf]# netstat -ntlp lgrep 443
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      20336/nginx: master 

【5】查詢防火墻的狀態(tài)

[root@iZuf65h6i43ltlzhqolumyZ conf]# firewall -cmd --state
running

查詢防火墻是否放開了443端口，結(jié)果顯示只有80端口

[root@iZuf65h6i43ltlzhqolumyZ conf]# firewall -cmd --list-prots
80/tcp

打開443端口，完成后執(zhí)行reload命令

[root@iZuf65h6i43ltlzhqolumyZ conf]# firewall -cmd --zone=public --add-prot=443/toc --permanent
success
[root@iZuf65h6i43ltlzhqolumyZ conf]# firewall -cmd --reload
success
[root@iZuf65h6i43ltlzhqolumyZ conf]# firewall -cmd --list-ports
80/tcp 443/tcp

【6】執(zhí)行echo命令在服務(wù)器上模擬客戶端，將測試命令中的it-blog-cn更換為自己的域名。檢查本地443端口加載的HTTPS服務(wù)以及證書是否正常。如下出現(xiàn)SSL-Session表示HTTPS服務(wù)正常運行，服務(wù)器配置的SSL證書是可用的。如果提示connect:errno=111表示沒有服務(wù)，建議檢查Nginx是否啟動。

[root@iZuf65h6i43ltlzhqolumyZ conf]# echo | openssl s_client -connect 127.0.0.1:443 -servername it-blog.cn 2>/dev/null
CONNECTED(00000003)
---
Certificate chain0 s:/CN=uat.bestcms.neti:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G11 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF8TCCBNmgAwIBAgIQBIMiUQP6TMpfAZzWUm5rAzANBgkqhkiG9w0BAQsFADBu
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMS0wKwYDVQQDEyRFbmNyeXB0aW9uIEV2ZXJ5d2hlcmUg
RFYgVExTIENBIC0gRzEwHhcNMjExMTI1MDAwMDAwWhcNMjIxMTI1MjM1OTU5WjAa
MRgwFgYDVQQDEw91YXQuYmVzdGNtcy5uZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQC3iIwMOkLN7RfFY4BfLxqp9OYoaAh3gEiBZii9LnUquEqBVTWk
bXfMlx2z7Wi4nVMnB6h1+OQsUQRgzHL3nVzACcXPPY8MHpA0F2Zen3dAkQFuVdXF
FgSSTJMqs/6IZdr1Q0YKahy99j5iA6TfYgKxm37wWG42+aXv4M8I5a2B/BH69lLZ
KKt5fyVNyvaxmdIJySPAUCh214BuHjV6AGehGCGv3DrUY0sNRytaiMSJdI/VbRkY
YeQKNMXbBhYxlv51AT2eGo4RNmz/kMrm6a6LHF3ARYOp3A+PGJaa8ZVuOikO+I1A
whfggIcRyKe94ZXqMRD7bu054w9ftHojF/wlAgMBAAGjggLdMIIC2TAfBgNVHSME
GDAWgBRVdE+yck/1YLpQ0dfmUVyaAYca1zAdBgNVHQ4EFgQU9to7lciGa8p+OhHn
4uQGhbMuNfMwGgYDVR0RBBMwEYIPdWF0LmJlc3RjbXMubmV0MA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwPgYDVR0gBDcwNTAz
BgZngQwBAgEwKTAnBggrBgEFBQcCARYbaHR0cDovL3d3dy5kaWdpY2VydC5jb20v
Q1BTMIGABggrBgEFBQcBAQR0MHIwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRp
Z2ljZXJ0LmNvbTBKBggrBgEFBQcwAoY+aHR0cDovL2NhY2VydHMuZGlnaWNlcnQu
Y29tL0VuY3J5cHRpb25FdmVyeXdoZXJlRFZUTFNDQS1HMS5jcnQwCQYDVR0TBAIw
ADCCAXwGCisGAQQB1nkCBAIEggFsBIIBaAFmAHUARqVV63X6kSAwtaKJafTzfREs
QXS+/Um4havy/HD+bUcAAAF9VSvu6AAABAMARjBEAiAc98z9JhFji8wdRV2E0I/C
pc4In9+I5tLAUagQM9TOvwIgKWBYxroCMKGz626Gw7Iv5kfnDeGWL1WowLQLG3Cf
4NIAdgBRo7D1/QF5nFZtuDd4jwykeswbJ8v3nohCmg3+1IsF5QAAAX1VK+7TAAAE
AwBHMEUCIDUPBWCGV3M8mNwrIhEN28Df0lvJnV+2HrRqfmvfvmbiAiEAhtsDnXpI
rRrMXt7DJnTIUNt8FrlJNm5KhDfN0CwKBCQAdQBByMqx3yJGShDGoToJQodeTjGL
GwPr60vHaPCQYpYG9gAAAX1VK+6ZAAAEAwBGMEQCID3zJ7IuSdi3+7VWwbQxIwhv
6N8DMR0srFyGLu0Bi3P5AiAO7CvwwF1Yjdo8G6q94FR/RcDHwZq61qk95MMiAkx5
yzANBgkqhkiG9w0BAQsFAAOCAQEAjXlHgK2lC2U9Cgl4GUU1LHtu/nDNx7ciIgWf
cMRObBSE0o4iSCG10iZG57STswAgwVLuG2yCDLD47lWwr2+/XPzKs3PsRCtm45pm
gjuawC9k0c3PsiGalob+U+c/42fU6SqU2H8GxySZIN4GR44ToYy+I+G3nnnTWnsJ
VPZz8+19B4+0QaHGD1mcj/QF9FwH04am8BEIBBDzoO7vuC7/B4kJy9F4VVU4i9hE
qS6e2pOYjvxp7t4k0EbEUovqz2VtYA51IkEpaUUvitCJXqih2QiFLKEWhZA5t+3d
g2OrNpOdvF6MShEIFDk/Nv79rElpyrrlsKpesbkx/ZFJkL9dng==
-----END CERTIFICATE-----
subject=/CN=uat.bestcms.net
issuer=/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=Encryption Everywhere DV TLS CA - G1
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3416 bytes and written 434 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol  : TLSv1.2Cipher    : ECDHE-RSA-AES128-GCM-SHA256Session-ID: 79CEF4E325845ED2B21C77C85FFF4B01B68B72362EE14A05C354E65C074F166DSession-ID-ctx: Master-Key: 48EE5A3E66D294F5F9B7F2A04EE6A58A7D8CF1211C103B86F31231BAC30BA63325A1200A7915D7B556F516E215848F65Key-Arg   : NoneKrb5 Principal: NonePSK identity: NonePSK identity hint: NoneTLS session ticket lifetime hint: 300 (seconds)TLS session ticket:0000 - 8b c1 a2 a1 8e cd 5d 7b-f9 1e d0 0a d7 44 2b 89   ......]{.....D+.0010 - 09 f3 f4 4d 98 74 37 b7-57 cf ab e2 a5 ed 90 1e   ...M.t7.W.......0020 - 9d 4a 9b 2b fa 07 cd 51-d1 bd 4c 8c 41 be 8f 39   .J.+...Q..L.A..90030 - b8 4d 25 0e e7 0d 67 6a-0e a2 56 4c ea ad 38 63   .M%...gj..VL..8c0040 - 14 ed ed d0 2a 13 11 6a-81 0c e9 ae 10 3e f1 1c   ....*..j.....>..0050 - 22 08 9c 1e 7e 11 80 0f-00 61 38 85 6c da 28 b7   "...~....a8.l.(.0060 - f8 82 06 ea 80 12 cd a7-27 18 45 c1 84 97 07 13   ........'.E.....0070 - 9c 41 82 35 14 80 e4 de-8e ee cb af 55 4e 3e 59   .A.5........UN>Y0080 - 23 ad 6d cb 25 e1 fc 25-7b 3a cb f7 e7 e7 0c 48   #.m.%..%{:.....H0090 - 49 bf a8 fb 44 fc de 03-9f a4 f5 40 a7 0a ea 7e   I...D......@...~00a0 - 61 ab 50 87 1e 6a 5f 92-45 26 25 73 5c 06 0d b4   a.P..j_.E&%s\...00b0 - ed 8c cd 01 e4 86 9c 00-ab 42 22 b1 15 5e c4 ed   .........B"..^..Start Time: 1707407211Timeout   : 300 (sec)Verify return code: 10 (certificate has expired)
---

四、更新ECS安全組

放行TCP協(xié)議443端口的入方向請求，并在瀏覽器端通過HTTPS訪問域名成功。

五、HTTP 強制跳轉(zhuǎn) HTTPS

修改nginx.conf

[root@iZuf65h6i43ltlzhqolumyZ conf]# vim nginx.conf

在80端口下方添加rewrite ^(.*)$ https://$host$1;，并通過nginx -t校驗語法，并通過nginx -s reload重新啟動nginx

server {listen       80;server_name  localhost;rewrite ^(.*)$ https://$host$1;

六、Nginx 配置文件

nginx.conf配置全文

#user  nobody;worker_processes  1;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  it-blog-cn.com;rewrite ^(.*)$ https://$host$1;#charset koi8-r;#access_log  logs/host.access.log  main;location / {proxy_pass http://127.0.0.1:8080/; #代理的地址和端口client_max_body_size 100M;proxy_set_header Host $host;proxy_set_header X-Real-IP $remote_addr;proxy_set_header X-Real-PORT $remote_port;proxy_set_header X-Forwarded-For $host;}#error_page  404              /404.html;# redirect server error pages to the static page /50x.html#error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}# proxy the PHP scripts to Apache listening on 127.0.0.1:80##location ~ \.php$ {#    proxy_pass   http://127.0.0.1;#}# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000##location ~ \.php$ {#    root           html;#    fastcgi_pass   127.0.0.1:9000;#    fastcgi_index  index.php;#    fastcgi_param  SCRIPT_FILENAME  /scripts$fastcgi_script_name;#    include        fastcgi_params;#}# deny access to .htaccess files, if Apache's document root# concurs with nginx's one##location ~ /\.ht {#    deny  all;#}}# another virtual host using mix of IP-, name-, and port-based configuration##server {#    listen       8000;#    listen       somename:8080;#    server_name  somename  alias  another.alias;#    location / {#        root   html;#        index  index.html index.htm;#    }#}# HTTPS server#server {listen       443 ssl;server_name  it-blog-cn.com;ssl_certificate     /usr/local/nginx/conf/cert/it-blog-cn.com.pem;ssl_certificate_key  /usr/local/nginx/conf/cert/it-blog-cn.com.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {root   html;index  index.html index.htm;}}
}