Streamlining: With the certificate, you can directly modify the nginx configuration.
Background#
I have set up a private docker image repository using Nexus on my own server. In order to support the default behavior of K8s, I had to upgrade it to HTTPS. Of course, it is also possible to allow the use of HTTP requests for pulling images by setting the "insecure-registries" field in /etc/docker/daemon.json. However, unfortunately, this configuration does not work under k8s v1.23.6. After wasting nearly two days, I decided to solve the problem by spending money, following the principle of not stubbornly persisting on problems that can be solved by spending money. After spending 8 dollars, I successfully resolved the issue (mainly because I bought a domain name). Although upgrading the server to HTTPS is not complicated, as it was my first time doing it, I felt it was worth documenting.
Preparing SSL Certificates#
Since I purchased my server from Alibaba Cloud, I obtained the domain name and certificate directly from Alibaba Cloud. You can refer to this link for the steps to apply for a free certificate. However, if it is a company project, it is still necessary to spend money to buy a reliable certificate (over 2,000 dollars a year, which is too expensive!). However, it is important to note that before obtaining an SSL certificate, you need to prepare a domain name for your server. After all, the applied certificate needs to be bound to a domain name. Although there are also SSL certificates that can be bound to an IP address, they are not common (at least not on Alibaba Cloud). After applying for a domain name, the more troublesome thing is to set up DNS resolution for the domain name (even DNS resolution services can be sold at different prices... building a website is really expensive! Although there are also free options, QAQ).
Uploading the Certificate to the Server#
After obtaining the certificate, you need to upload it to the target server. You can use the "scp" command:
scp fileName user@targetIp:destinationFilePath
After connecting to the remote server, you need to enter the password for verification, and then the file will be uploaded to the target server.
Configuring nginx#
Modify the "server" section in /etc/nginx/nginx.conf:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "modify to the path of the key file";
ssl_certificate_key "modify to the path of the key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers PROFILE=SYSTEM;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
In the above configuration, I also enabled HTTP/2 on the server, which can be considered as a small optimization.
After configuring, restart nginx to take effect. Then, you can verify the access by using "curl -I hostName". Of course, you can also test it using a browser, but if there is a problem with the certificate, you can only see a 502 error in the browser without enough information to locate the specific problem.
Although the content is a bit trivial, I am really happy to write this kind of trivial article! Especially for something that can be written in less than half an hour, it is really enjoyable.