若未安装Nginx,通过以下命令安装:
sudo apt update
sudo apt install nginx
安装完成后,Nginx会自动启动,可通过systemctl status nginx验证状态。
Let’s Encrypt提供免费SSL证书,通过Certbot可简化申请与自动续期流程:
sudo apt install certbot python3-certbot-nginx
yourdomain.com和www.yourdomain.com为你的实际域名:sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com
Certbot通常会自动修改Nginx配置文件(位于/etc/nginx/sites-available/yourdomain.com),核心配置如下:
fullchain.pem为证书链,privkey.pem为私钥)。若选择手动配置,需完成以下步骤:
.crt)、私钥(.key)及中间证书(若有)上传至服务器,建议存放于/etc/ssl/certs/(证书)和/etc/ssl/private/(私钥)目录;/etc/nginx/sites-available/yourdomain.com,添加以下内容:server {
listen 80;
server_name yourdomain.com www.yourdomain.com;
return 301 https://$host$request_uri; # 强制HTTP跳转HTTPS
}
server {
listen 443 ssl;
server_name yourdomain.com www.yourdomain.com;
# 证书路径
ssl_certificate /etc/ssl/certs/yourdomain.com.crt;
ssl_certificate_key /etc/ssl/private/yourdomain.com.key;
# 加密配置(推荐)
ssl_protocols TLSv1.2 TLSv1.3; # 仅启用TLS 1.2及以上版本
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; # 高强度加密套件
ssl_prefer_server_ciphers on; # 优先使用服务器端加密套件
# 可选安全增强
ssl_trusted_certificate /etc/ssl/certs/chain.pem; # 中间证书(若有)
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # 启用HSTS
# 网站根目录
root /var/www/yourdomain.com;
index index.html index.htm;
}
sites-enabled目录:sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/
sudo nginx -t
Syntax OK,则继续下一步;若有错误,根据提示修改配置文件。sudo systemctl restart nginx
sudo systemctl reload nginx
https://yourdomain.com,确认地址栏显示锁图标(表示HTTPS连接成功);curl命令检查SSL握手:curl -I https://yourdomain.com
HTTP/2 200,则表示SSL配置生效。Let’s Encrypt证书有效期为90天,Certbot会自动创建cron任务续期,但需验证续期流程:
sudo certbot renew --dry-run
Congratulations, all renewals succeeded,则表示续期正常;--post-hook "systemctl reload nginx"),无需手动操作。通过以上步骤,即可在Debian系统上为Nginx成功配置SSL证书,实现HTTPS安全访问。