阿里云SSL证书申请及部署
阿里云SSL证书申请及部署证书申请申请通配符域名证书下载并部署证书安装完成并验证:
证书申请
作者:iceliooo
这里以阿里云Symantec证书为例
申请通配符域名证书
在xxx.cn 中配置location如下:
完整配置参考:
server {
listen 443 ssl;
server_name xxx.cn;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
location /.well-known/pki-validation/fileauth.txt {
root /usr/local/nginx/html;
}
}
把验证文件fileauth.txt上传到服务器上一步配置的目录中,本例的具体目录是:
/usr/local/nginx/html/.well-known/pki-validation
E:\wy>scp fileauth.txt root@ip:/usr/local/nginx/html/.well-known/pki-validation
root@ip's password:
fileauth.txt 100% 64 1.7KB/s 00:00
E:\wy>
查看文件:
[root@izwz96u1ukkfo2k pki-validation]# ll
total 4
-rw-r--r-- 1 root root 64 Feb 18 11:00 fileauth.txt
[root@izwz96u1ukkfo2k pki-validation]# pwd
/usr/local/nginx/html/.well-known/pki-validation
[root@izwz96u1ukkfo2k pki-validation]#
完成后重启nginx
[root@izwz96u1ukkfo2k conf]# ../sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@izwz96u1ukkfo2k conf]# ../sbin/nginx -s reload
然后验证,通过后提交。
坐等审核
审核通过后,下载证书,并选择nginx
上传证书到服务器
E:\wy\ssl\3472164__xxx.cn_nginx>scp 3472164__xxx.cn.* root@ip:/usr/local/nginx/conf/ssl/www.xxx.cn
root@ip's password:
3472164__xxx.cn.key 100% 1679 39.0KB/s 00:00
3472164__xxx.cn.pem 100% 3671 61.1KB/s 00:00
E:\wy\ssl\3472164__xxx.cn_nginx>
配置nginx配置文件
server {
listen 80;
server_name www.xxx.cn xxx.cn;
return 301 https://$server_name$request_uri;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
location /.well-known/pki-validation/fileauth.txt {
root /usr/local/nginx/html;
}
location = /50x.html {
root html;
}
error_page 500 502 503 504 /50x.html;
}
server {
listen 443 ssl;
server_name www.xxx.cn;
ssl_session_cache shared:SSL:1m;
ssl_certificate ./ssl/www.xxx.cn/3472164__xxx.cn.pem;
ssl_certificate_key ./ssl/www.xxx.cn/3472164__xxx.cn.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
set $mobile_rewrite do_not_perform;
if ($http_user_agent ~* "(android|bb\d+|meego).+mobile|avantgo|bada\/|blackberry|blazer|compal|elaine|fennec|hiptop|iemobile|ip(hone|od)|iris|kindle|lge |maemo|midp|mmp|mobile.+firefox|netfront|opera m(ob|in)i|palm( os)?|phone|p(ixi|re)\/|plucker|pocket|psp|series(4|6)0|symbian|treo|up\.(browser|link)|vodafone|wap|windows ce|xda|xiino") {
set $mobile_rewrite perform;
}
location / {
if ($mobile_rewrite = perform) {
root /usr/local/nginx/m/mobile;
}
if ($mobile_rewrite = do_not_perform) {
root html;
}
}
}
安装完成并验证:
部署前:
部署后
作者:iceliooo
