Nginx教程 Nginx HTTPS配置 Let's Encrypt证书 Certbot使用 HTTPS网站加密 SSL/TLS配置 2025-12-09 203 views

In website development, the security of data transmission has become increasingly important. If your website still uses the plain HTTP protocol, users’ account passwords, browsing data, and other information may be intercepted by middlemen. HTTPS (HTTP Secure) uses SSL/TLS encryption technology to encrypt data during transmission, significantly enhancing website security. Additionally, search engines favor HTTPS websites, and modern browsers now display “Not Secure” warnings for HTTP sites, which can harm user trust. Therefore, configuring HTTPS for websites is an essential skill.

1. Obtaining an SSL Certificate

To configure HTTPS, you first need an SSL certificate. We recommend using Let’s Encrypt, a free certificate provided by a non-profit organization with a 90-day validity period and automatic renewal support, making it suitable for personal and small websites. To obtain the certificate, use the Certbot tool with the following steps:

1.1 Install Certbot

On Ubuntu/Debian systems, run the following command to install Certbot and the Nginx plugin:

sudo apt update
sudo apt install certbot python3-certbot-nginx

1.2 Obtain and Install the Certificate

Run the Certbot command, specifying your domain(s) (e.g., example.com and www.example.com):

sudo certbot --nginx -d example.com -d www.example.com
  • --nginx: Certbot automatically modifies Nginx configuration without manual intervention.
  • -d: Specifies the domain(s) to encrypt; separate multiple domains with commas.

After execution, Certbot will automatically verify domain ownership, download the certificate, and modify Nginx configuration (including automatic redirection from HTTP to HTTPS).

2. Verifying Certificate Installation

After installation, Certbot will output a success message. Verify the setup with these methods:
- Check Certificate Status: Run certbot certificates to view the certificate path (e.g., /etc/letsencrypt/live/example.com/).
- Access the Website: Open a browser and visit https://example.com. The address bar will show a padlock icon. Click the icon to view certificate details and confirm the issuer is Let’s Encrypt.

3. Nginx Configuration Details

Certbot automatically modifies Nginx configuration, but understanding core parameters helps troubleshoot issues. By default, two key sections are added to the Nginx site configuration file (typically in /etc/nginx/sites-available/yourdomain.com):

3.1 Listen on Port 443 with HTTPS Enabled

server {
    listen 443 ssl;  # Listen on HTTPS port 443
    server_name example.com www.example.com;  # Your domain(s)

    # Paths to SSL certificate and private key (auto-generated by Certbot)
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # Optional: Encryption protocols and ciphers (Certbot optimizes these by default; ignore for beginners)
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384';
}

3.2 HTTP to HTTPS Redirection

Certbot adds a redirection rule in the 80-port configuration to automatically redirect HTTP requests to HTTPS:

server {
    listen 80;  # Listen on HTTP port 80
    server_name example.com www.example.com;

    # Redirect to HTTPS (301 permanent redirect)
    return 301 https://$host$request_uri;
}

4. Configuration Validation and Restart

After modifying Nginx configuration, validate syntax and restart the service:
1. Check Configuration Syntax: Run nginx -t. If output shows nginx: configuration file /etc/nginx/nginx.conf test is successful, the configuration is valid.
2. Restart Nginx: Execute sudo systemctl restart nginx (or service nginx restart).

5. Common Issues and Solutions

  1. Certificate Path Error: Run certbot certificates to check the certificate path and ensure it matches the path in Nginx configuration.
  2. Permission Issues: The Nginx process (usually www-data) needs to read certificate files. Execute:
   sudo chown -R root:www-data /etc/letsencrypt/live/example.com/
   sudo chmod -R 640 /etc/letsencrypt/live/example.com/
  1. Firewall Blocking Port 443: For Ubuntu/Debian users, run sudo ufw allow 'Nginx Full' to open ports 80 and 443.

6. Certificate Automatic Renewal

Let’s Encrypt certificates expire every 90 days. Certbot automatically schedules renewal. Test renewal with:

sudo certbot renew --dry-run

If output shows Successfully received certificate, automatic renewal is working.

7. Summary

By using Certbot to obtain a Let’s Encrypt free certificate and configuring Nginx to listen on port 443 with automatic redirection, you can quickly enable HTTPS encryption. HTTPS not only enhances security but also improves SEO and user experience, making it a necessary configuration for modern websites.

Related Articles

Learn Nginx from Scratch: A Step-by-Step Guide to Installation and Startup 2025-12-09 Detailed Explanation of Nginx Configuration Files: Server Block and Location for Beginners 2025-12-09 Introduction to Nginx Reverse Proxy: Easily Achieve Frontend-Backend Separation 2025-12-09 Nginx Load Balancing: Simple Configuration for Multi-Server Traffic Distribution 2025-12-09 Nginx Static Resource Service: Rapid Setup for Image/File Access 2025-12-09
Xiaoye