Before setting up HTTPS access, please open port 443 of the security group. if not, HTTPS access is not available.

Here are two configuration schemes for HTTPS, please choose according to the actual situation:

Configuration Method 1: Using your own certificate

If you have already applied for a certificate (please ensure that the certificate is available), please refer to the following configuration:

1. Suppose your application can by access by http://domain
2. Upload the certificate to the certificate Directory: /data/cert (no cert directory can be created by yourself)

3. Copy the HTTPS template below to the /etc/nginx/conf.d/default, and make sure this template is inserted between the —SSL Start— and —SSL End— ``` server { listen 80; server_name www.yourdomain.com;

   location / { proxy_pass http://127.0.0.1:8088; proxy_connect_timeout 300s; proxy_send_timeout 900; proxy_read_timeout 900; proxy_buffer_size 32k; proxy_buffers 4 32k; proxy_busy_buffers_size 64k; proxy_redirect off; proxy_hide_header Vary; proxy_set_header Accept-Encoding ‘’; proxy_set_header Host $http_host; proxy_set_header Referer $http_referer; proxy_set_header Cookie $http_cookie; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }

—SSL Start—

listen 443 ssl; ssl_certificate /data/cert/xxx.crt; ssl_certificate_key /data/cert/xxx.key; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on;

301 redirect http => https

if ($scheme != “https”) { return 301 https://$host$request_uri; }

—SSL End—

}

4. Modify some parameters according to your actual situation<br />- Repalce _www.yourdomain.com_ with your real domain<br />- Make sure ssl_certificate /data/cert/xxx.crt is your real directory of certificate<br />- Make sure ssl_certificate_key /data/cert/xxx.key is your real directory of certificate_key
4. You can remove the # at the end of HTTPS template like below if you want to HTTP redirect to HTTPS

if ($scheme != “https”) { return 301 https://$host$request_uri; }

6. Save it_, _then restart Nginx
```shell
systemctl restart nginx

Configuration Method 2: Using Let’s Encrypt

You can use the free SSL/TLS Certificate Let’s Encrypt in this Image, Let’s Encrypt is a free, automated, and open Certificate Authority.

Before using Let’s Encrypt Certificate for your site, you should make sure that your site have already bound to the domain name, it’s means that the ServerName parameter have correct domain in HTTP profile template.

1. Start up the Let’s Encrypt configuration just need one command

   certbot

2. If certbot is not included in your Image, you should install it first

   apt install python3-certbot-nginx

1. Enter the corresponding content according to the prompt

   You can select multiple domain by the method 1,2 when come to the step “Which names would you like to activate HTTPS for?”

1. After the above steps are completed, certbot will automatically configure the certificate to the directory /etc/letsencrypt/live/

2. Visit the HTTPS to confirm you have configured successfully

3. Let’s Encrypt must renew every three months, so you can set automatic renew by crontab job

   echo "0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew" >> /etc/crontab

FAQ

Note on the application of the certificate

• domain.com is a wildcard domain name method and cannot be used to apply for a free certificate
• When applying for a certificate, please resolve the domain name first. some certificates will bind the IP address corresponding to the domain name, that is, the IP address cannot be replaced once applied, otherwise the certificate will not be available

Why is the setup successful, showing “the connection established with this site is not completely secure “?

If HTTPS can be visited, you can make sure that your HTTPS settings are successful, just because there are static files containing HTTP access, or external links, etc. in the website, the browser alarms that your website is not completely safe.