若未安装Nginx,通过以下命令安装:
sudo apt update sudo apt install nginx 安装完成后,Nginx会自动启动,可通过systemctl status nginx验证状态。
Let’s Encrypt提供免费SSL证书,通过Certbot可简化申请与自动续期流程:
sudo apt install certbot python3-certbot-nginx yourdomain.com和www.yourdomain.com为你的实际域名:sudo certbot --nginx -d yourdomain.com -d www.yourdomain.com Certbot通常会自动修改Nginx配置文件(位于/etc/nginx/sites-available/yourdomain.com),核心配置如下:
fullchain.pem为证书链,privkey.pem为私钥)。若选择手动配置,需完成以下步骤:
.crt)、私钥(.key)及中间证书(若有)上传至服务器,建议存放于/etc/ssl/certs/(证书)和/etc/ssl/private/(私钥)目录;/etc/nginx/sites-available/yourdomain.com,添加以下内容:server { listen 80; server_name yourdomain.com www.yourdomain.com; return 301 https://$host$request_uri; # 强制HTTP跳转HTTPS } server { listen 443 ssl; server_name yourdomain.com www.yourdomain.com; # 证书路径 ssl_certificate /etc/ssl/certs/yourdomain.com.crt; ssl_certificate_key /etc/ssl/private/yourdomain.com.key; # 加密配置(推荐) ssl_protocols TLSv1.2 TLSv1.3; # 仅启用TLS 1.2及以上版本 ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'; # 高强度加密套件 ssl_prefer_server_ciphers on; # 优先使用服务器端加密套件 # 可选安全增强 ssl_trusted_certificate /etc/ssl/certs/chain.pem; # 中间证书(若有) add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; # 启用HSTS # 网站根目录 root /var/www/yourdomain.com; index index.html index.htm; } sites-enabled目录:sudo ln -s /etc/nginx/sites-available/yourdomain.com /etc/nginx/sites-enabled/ sudo nginx -t Syntax OK,则继续下一步;若有错误,根据提示修改配置文件。sudo systemctl restart nginx sudo systemctl reload nginx https://yourdomain.com,确认地址栏显示锁图标(表示HTTPS连接成功);curl命令检查SSL握手:curl -I https://yourdomain.com HTTP/2 200,则表示SSL配置生效。Let’s Encrypt证书有效期为90天,Certbot会自动创建cron任务续期,但需验证续期流程:
sudo certbot renew --dry-run Congratulations, all renewals succeeded,则表示续期正常;--post-hook "systemctl reload nginx"),无需手动操作。通过以上步骤,即可在Debian系统上为Nginx成功配置SSL证书,实现HTTPS安全访问。
