Recording the process of upgrading the server to https.

Streamlining: With the certificate, you can directly modify the configuration of nginx.

Background#

I have set up a private docker image repository on my own server using Nexus in order to support the default behavior of K8s, I had to upgrade it to https. Of course, it is also possible to support pulling images using http requests by setting the insecure-registries field in /etc/docker/daemon.json, but unfortunately, this configuration does not work under k8s v1.23.6. After wasting nearly two days of precious time, I decided to solve the problem by spending money, and I successfully resolved it after spending 8 dollars (mainly because I bought a domain name). Although upgrading the server to https is not complicated, as it is my first time, I feel it is worth documenting.

Preparing SSL Certificates#

Since I bought my server from Alibaba Cloud, I obtained the domain name and certificate directly through Alibaba Cloud. You can see the steps to apply for a free certificate here. Of course, if it is a company project, you still need to spend money to buy a reliable certificate (over 2k per year, it's too expensive!). However, it is important to note that before obtaining an SSL certificate, you need to prepare a domain name for your server, as the applied certificate needs to be bound to a domain name. Although there are also SSL certificates that can be bound to an IP address, they are not common (at least not on Alibaba Cloud). After applying for a domain name, the more troublesome thing is to set up DNS resolution for the domain name (even DNS resolution services can be sold at different levels... building a website is really expensive! Although there are also free options, QAQ).

Uploading the Certificate to the Server#

After obtaining the certificate, you need to upload it to the target server, which can be done using the scp command:

scp fileName user@targetIp:destinationFilePath

After connecting to the remote server, you will be prompted to enter a password for verification, and then the file will be uploaded to the target server.

Configuring nginx#

Modify the server section in /etc/nginx/nginx.conf:

server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        ssl_certificate "modify to the path of the key file";
        ssl_certificate_key "modify to the path of the key";
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

The above configuration also enables http2 on the server, which can be considered as a small optimization.

After configuring, restart nginx to take effect. You can then verify the access using curl -I hostName or test it using a browser. However, if there is a problem with the certificate, you will only see a 502 error in the browser without enough information to locate the specific problem.

Although the content is a bit lengthy, I am really happy to write this kind of article! Especially for something that can be written in less than half an hour, it is really enjoyable.