# Nginx Deployment **I. Acquiring PEM-formatted certificate public and private keys** Firstly, log into the SSL console: . Afterwards, download the certificate. Certificate format: pem for nginx (After downloading the certificate, open the Nginx folder) After decompression, two files will be obtained: the pem suffix is the certificate's public key + ca certificate file (e.g., public.pem), the key suffix is the private key file (e.g., private.key) **II. Deploy the certificate in Nginx and optimize the SSL configuration** Go to the conf directory of nginx, find the nginx.conf file, and modify or configure it as follows: server { listen 443; (ps: for nginx 1.15 and versions above, modify to listen 443 ssl;) server_name www.trustasia.com # your domain, such as www.abc.com; ssl on; ssl_certificate /xxx/xxx/server.pem; # Configure according to actual path and filename ssl_certificate_key /xxx/xxx/server.key; # Configure according to actual path and filename ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Configure according to this protocol ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; # Configure according to this suite ssl_prefer_server_ciphers on; location / { root html; # Site Directory index index.html index.htm; } } Below are the explanations for the configuration file parameters: listen 443 SSL access port number is 443 ----- ssl on Enable SSL function ----- ssl\_certificate Certificate file server.pem ----- ssl\_certificate\_key Private key file server.key ----- ssl\_protocols Protocol in use ----- ssl\_ciphers Configure encryption suite, syntax follows openssl standard After configuring, use bin/nginx –t to test if there are any errors in the configuration. If there are no errors, it is recommended to restart nginx. **III. Using full-site encryption and auto-redirecting http to https (optional)** For users, they either don't know about https, or they know about https but due to laziness, they don't want to input https. Thus arises a requirement to auto-redirect http requests to https at the server level. In terms of the server configuration, a js script can be added to the webpage, redirection can be coded into the backend, or the web server can be used to implement redirection. Nginix supports rewrite (as long as pcre is not removed during compilation). In the http server, add rewrite ^(.\*) permanent; This allows requests coming in at port 80 to be redirected to https.