Deploy the SSL Credential in the BCC-Nginx
Configure the SSL certificate for the Web service in the Nginx environment built based on the Centos-7.2 Deployment LNMP Environement Tutorial. The domain name needs to be prepared in advance. The following steps are the entire process to configure and deploy the certificate.
Download and Decompress a Certificate
Enter "Baidu AI Cloud Console" -- "Security and Management" -- "SSL Certificate Service" -- "Purchased Certificate List", and then click "View Information" based on the certificate information applied for the domain name bound with this BCC.
Click "Download Certificate", and select the PEM_Nginx format, and then set the 4-digit decompression password.
After the successful download locally, double click "Open", and then you can see the crt and key files. Select "Decompress to", and set the path, and then enter the 4-digit password you just set on the console.
Upload Certificate Files to BCC
Upload the crt and key files decompressed in the previous step to the BCC's Nginx configuration directory /etc/nginx/ through FTP or other tools.
Modify the configuration file
vim /etc/nginx/nginx.conf
Add the following virtual host configuration, or uncomment the HTTPS host.
server {
listen 443;
server_name ********.com; #Replace the bound domain name, it must be the domain name that applied for the certificate
ssl on; #This line is added separately, which means that you must add ssl function.
ssl_certificate /etc/nginx/********.com.crt; #This is the crt file path to download the nginx certificate. You can download the absolute path or related path through this path.
ssl_certificate_key /etc/nginx/*********.com.key; # It's the same as crt's rule
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
After the successful save of configuration, restart the Nginx service.
systemctl restart nginx
At this time, you can view that the port 443 is enabled through the command netstat -anplt. You can normally access the site through the domain name https: //.
HTTP to HTTPS Forcibly
vim /etc/nginx/nginx.conf
Change localhost after server_name to this certificate domain name in the server with the port 80. And then add a statement below:
rewrite ^(.*)$ https://${server_name}$1 permanent;
After the successful save, restart Nginx:
systemctl restart nginx
At this time, all ports 301 jumps to the HTTPS request when you access the domain name directly.