给自己网站配置 https,http2 ,gzip压缩

https 需要购买域名ssl证书

注意事项:

1.要开启HTTP/2协议支持,需要在nginx 1.10以上版本并且需要openssl库的版本在1.0.2及以上编译。

2.http2.0只支持开启了https的网站。

 openssl version 可以查看openssl版本

 nginx -v 可以查看nginx版本

 mysql -v 可以查看mysql版本

 php -v 可以查看php版本

 以下命令可以查看linux版本

 

uname -a;

 

more /etc/issue;

 

cat /proc/version;

 

开始:

这里我的证书是使用阿里云提供的免费证书

1.下载证书

2.安装证书

文件说明:
1. 证书文件1533488566332.pem,包含两段内容,请不要删除任何一段内容。
2. 如果是证书系统创建的CSR,还包含:证书私钥文件1533488566332.key。
( 1 ) 在Nginx的安装目录下创建cert目录,并且将下载的全部文件拷贝到cert目录中。如果申请证书时是自己创建的CSR文件,请将对应的私钥文件放到cert目录下并且命名为1533488566332.key;
( 2 ) 打开 Nginx 安装目录下 conf 目录中的 nginx.conf 文件,找到:
# HTTPS server
# #server {
# listen 443;
# server_name localhost;
# ssl on;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_timeout 5m;
# ssl_protocols SSLv2 SSLv3 TLSv1;
# ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
# ssl_prefer_server_ciphers on;
# location / {
#
#
#}
#}
( 3 ) 将其修改为 (以下属性中ssl开头的属性与证书配置有直接关系,其它属性请结合自己的实际情况复制或调整) :
server {
    listen 443;
    server_name localhost;
    ssl on;
    root html;
    index index.html index.htm;
    ssl_certificate   cert/1533488566332.pem;
    ssl_certificate_key  cert/1533488566332.key;
    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    location / {
        root html;
        index index.html index.htm;
    }
}

保存退出。

( 4 )重启 Nginx。
( 5 ) 通过 https 方式访问您的站点,测试站点证书的安装配置。

问题:但是安装后 执行 systemctl start nginx  报错  the "ssl" parameter requires ngx_http_ssl_module in /usr/local/nginx/conf/nginx.conf

原来是nginx安装时候没有加载 ssl模块 和 http2模块

1)切换到nginx源码包

cd /usr/local/src/nginx-1.11.3
2)查看ngixn原有的模块
/usr/local/nginx/sbin/nginx -V
显示 --prefix=/usr/local/nginx 需要后面加上需要的模块--with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
--with-http_v2_module 是支持http2 的模块 支持http2需要满足 
3)重新配置
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module --with-http_v2_module
4)重新编译,不需要make  install安装。否则会覆盖
make
5)备份原有已经安装好的nginx
cp /usr/local/nginx/sbin/nginx /usr/local/nginx/sbin/nginx.bak
6)将刚刚编译好的nginx覆盖掉原来的nginx(ngixn必须停止)
cp ./objs/nginx /usr/local/nginx/sbin/ 
这时,会提示是否覆盖,请输入yes,直接回车默认不覆盖
7)启动nginx,查看nginx模块,发现已经添加
/usr/local/nginx/sbin/nginx -V 
最后附上完整的ngixn配置:
user nginx nginx;
worker_processes  1;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;
    sendfile        on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    gzip  on;
    gzip_min_length  1k;
    gzip_buffers     4 16k;
    gzip_http_version 1.0;
    gzip_comp_level 8;
    gzip_vary on;
    gzip_types text/plain application/x-javascript text/css text/json application/xml text/javascript application/javascript;
    gzip_disable "MSIE";

    server_tokens off;

 #   sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
#    keepalive_timeout  65;

    #gzip  on;

    server {
        listen       80;
        server_name  localhost;
	root /data;
        #charset koi8-r;

        #access_log  logs/host.access.log  main;

        location / {
            root   /data;
            index index.php index.html index.htm;
        }

        #error_page  404              /404.html;

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root  /data;
        }

        # proxy the PHP scripts to Apache listening on 127.0.0.1:80
        #
        #location ~ \.php$ {
        #    proxy_pass   http://127.0.0.1;
        #}

        # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
        #
        location ~ \.php$ {
            root           /data;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
        }

        # deny access to .htaccess files, if Apache's document root
        # concurs with nginx's one
        #
        #location ~ /\.ht {
        #    deny  all;
        #}
    }

server {
    listen 80;
    server_name www.fibst.cn;
    return 301 https://$server_name$request_uri;
}

    server{
	#listen 80;
        listen 443 ssl http2;
        server_name www.fibst.cn;
        ssl on;
	ssl_certificate  cert/www.fibst.cn.pem;
	ssl_certificate_key  cert/www.fibst.cn.key;
	ssl_session_cache shared:SSL:1m;
	ssl_session_timeout  5m;
	ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers   on;

        root /data/suxiaoying/;
        index  index.html index.htm index.php;


        location ~ ^(.*)\/\.svn\/ {
            return 404;
        }

        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
             fastcgi_pass   127.0.0.1:9000;
             fastcgi_index  index.php;
             fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
             include fastcgi_params;
        }
    }


}

  

 

posted @ 2018-09-19 14:42  fibst  阅读(2003)  评论(0编辑  收藏  举报