preface
The pictures in the blogger's blog use their own picture bed (in Tencent cloud + python + their own domain name). Since http was previously used, the browser will block the pictures as unsafe links. Therefore, bloggers set out to seamlessly replace it with https. This article is the operation details.
1. Application for certificate
Provide 1-year free certificate on Tencent cloud platform:
https://console.cloud.tencent.com/ssl
Above are the two certificates I applied for.
Note: because it is a one-year free certificate, each secondary domain name should apply for a separate one. I only applied for a primary domain name for the first time, but I found it impossible!!!
2. Installation and deployment of SSL certificate of nginx server
We applied for the SSL certificate of the international encryption standard above and are going to deploy it on the Nginx server. Therefore, refer to: https://cloud.tencent.com/document/product/400/35244
2.1. Prepare Nginx environment
The blogger server environment is ubuntu, and its default nginx version is too low, so it needs to be compiled and installed manually:
1) Completely uninstall the original nginx: sudo apt get auto remove nginx
2) Download, compile, install:
wget http://nginx.org/download/nginx-1.18.0.tar.gz wget http://downloads.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz # Install zlib, openssl (compiler, if not installed) sudo apt-get install zlib1g-dev sudo apt-get install openssl sudo apt-get install libssl-dev # Install PCRE tar zxvf pcre-8.35.tar.gz cd pcre-8.35 sudo ./configure sudo make sudo make install # Installing nginx tar zxvf nginx-1.18.0.tar.gz cd nginx-1.18.0.tar.gz sudo ./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module sudo make sudo make install
be careful:
- The old Nginx needs to be completely deleted
- The nginx compilation option must be accompanied by -- with HTTP_ ssl_ Module, otherwise SSL cannot be used (an error will be reported when running. / sbin/nginx -t)
- ./configure: error: SSL modules require the OpenSSL library. Libssl dev needs to be installed( Error in compiling nginx with ubuntu solution)
3) Generate nginx soft links
After installation, establish an nginx soft link in / usr/bin:
ln -s /usr/local/nginx/sbin/nginx nginx
2.2 certificate deployment
reference resources: https://cloud.tencent.com/document/product/400/35244
1) In SSL certificate management console Select the certificate you need to install in the and click download
2) Send the downloaded compressed package to the remote server through scp and other methods. After decompression:
➜ tuchuang.beautifulzzzz.com_nginx tree . ├── tuchuang.beautifulzzzz.com_bundle.crt Certificate file ├── tuchuang.beautifulzzzz.com_bundle.pem Certificate file (this file can be ignored) ├── tuchuang.beautifulzzzz.com.csr CSR file └── tuchuang.beautifulzzzz.com.key Private key file
3) Copy the crt and key files to the nginx config Directory:
cd /usr/local/nginx/conf mv ~/Download/tuchuang.beautifulzzzz.com_nginx/tuchuang.beautifulzzzz.com.key ./ mv ~/Download/tuchuang.beautifulzzzz.com_nginx/tuchuang.beautifulzzzz.com_bundle.crt ./
2.3 Nginx configuration
This can be done by executing VIM / usr / local / nginx / conf / nginx Edit the file from the conf command line:
server { #The SSL access port number is 3000 listen 3000 ssl; #Fill in the domain name of the binding certificate server_name tuchuang.beautifulzzzz.com; #Certificate file name ssl_certificate tuchuang.beautifulzzzz.com_bundle.crt; #Private key file name ssl_certificate_key tuchuang.beautifulzzzz.com.key; ssl_session_timeout 5m; #Please configure according to the following protocol ssl_protocols TLSv1.2 TLSv1.3; #Please configure the encryption suite according to the following suite configuration. The writing method follows the openssl standard. ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; # nginx port remapping can be written as follows # When accessing: https://tuchuang.beautifulzzzz.com:3000 When, it is mapped to http://127.0.0.1:8000 location / { proxy_pass http://127.0.0.1:8000; } #Location / {< -- if you don't need to remap with nginx port, you can write it like this # #The path to the home page of the website. This path is for reference only. Please follow the actual directory for details. # #For example, if the running directory of your website is under / etc/www, fill in / etc/www. # root html; # index index.html index.htm; #} }
Because the links of my previous drawing bed pictures are http, I don't want to change the original links, which can be realized through nginx remapping:
server { listen 3000; #Fill in the binding certificate of domain name server_name tuchuang.beautifulzzzz.com; rewrite ^(.*)$ https://$host$1 permanent; #Convert the domain name request from http to https #return 301 https://$host$request_uri; }
In this way, every browser access http://tuchuang.beautifulzzzz.com:3000 , will be automatically transferred to https://tuchuang.beautifulzzzz.com:3000 Then, with the help of the above configuration, you can finally go to http://127.0.0.1:8000 .
Finally, you can verify whether there is a problem with the configuration file by executing the following command in the root directory of Nginx:
./sbin/nginx -t
After there is no problem, run the following command to restart nginx (if nginx.pid error is reported, refer to link 8):
nginx -s reload
Note: it seems that markdown and curl cannot automatically convert http to https.
3 finally
When publishing this blog post, if you can see the picture without warning in the browser, it means that our above operation is successful!
In fact, there is still a little work to be done - that is to update the script for uploading pictures:
➜ Pictures cat run.sh #!/bin/bash ret=`curl https://tuchuang.beautifulzzzz.com:3000/api/v1/upimg -F "file=@" -H "token: password" - v` cnt=1 if [ ! -f "tuchuang.log" ]; then echo $cnt > tuchuang.log else cnt=`cat tuchuang.log` cnt=$((cnt+1)) echo $cnt > tuchuang.log fi echo "" echo $ret | jq . param=`echo $ret | jq .data.path | sed 's:\"::g'` echo [p$cnt]:https://tuchuang.beautifulzzzz.com:3000/?path=$param
Reference link
[1]. How to select SSL certificate installation deployment type?
[2]. Nginx server SSL certificate installation and deployment (RSA)
[3]. How does the server open port 443? - > Add security group rule
[4]. Is an SSL certificate a domain name certificate?
[5]. The upper part of centos7 deploys Nginx to implement https and http redirection
[6]. ubuntu18.04 installing nginx1 18.0 - installation records
[7]. nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module
[8]. Solve Nginx: [error] open() "/ usr / local / nginx / logs / nginx pid" failed(2:No such file or directory)
[9]. Let your website support HTTPS and Nginx smooth upgrade for free
[10]. Error in compiling nginx with Ubuntu solution
[11]. Self built drawing bed server
: updating in succession