CentOS7-Nginx配置Let's-Encrypt-SSL证书

suncle 2020-11-09 11:30:21
CentOS 配置 nginx let centos7-nginx


Let's-Encrypt

为http站点添加https支持,需要从证书发行机构获取SSL/TLS 证书。常见的免费证书有两种:

安装

yum install epel-release -y
yum install certbot -y

配置

certbot certonly --webroot -w /www/html -d suncle.me -d www.suncle.me
  • --webroot表示以webroot模式运行,此处我们不选择standalone模式
  • -w /www/html表示站点根目录在/www/html
  • -d suncle.me -d www.suncle.me表示为@主机和www主机生成共同的证书

按照提示操作成功后,提示:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/suncle.me/fullchain.pem. Your cert will
expire on 2017-06-28. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

<!--more-->

证书自动更新

Let’s Encrypt 只有3个月的有效期,所以我们需要定时去更新证书。

可以通过运行:certbot renew --dry-run 来测试自动生成是否能够正常运行。如果正确执行,我们就可以通过以下命令更新证书:

certbot renew 

如果要达到自动更新证书,可以借助crontab或者systemd定时执行上面的更新命令。Let’s Encrypt官方建议一天更新两次最好。因为证书没有到期之前是不会更新,因此即使一天执行两次也不会有什么影响。

# 每天3:00和19:00点更新证书
0 3,19 * * * certbot renew

具体执行时间可以参考以下crontab格式进行修改:

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

配置Nginx SSL证书

修改/usr/local/nginx/nginx.conf文件如下(最好先备份)

# Nginx以root用户启动
user root;
# Nginx开启的进程数
worker_processes 2;
events {
# Nginx连接的最大个数
worker_connections 65535;
}
http {
# 如果路径中出现通配符,mime.types可配置多个文件
include mime.types;
# 默认文件类型
default_type application/octet-stream;
# 日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# 记录访问日志
access_log logs/access.log main;
# 开启sendfile,提升文件传输效率
sendfile on;
# 死链判断:客户端连接保持活动的超时时间
keepalive_timeout 65;
#设置非安全连接永久跳转到安全连接
server{
listen 80;
server_name www.suncle.me suncle.net blog.suncle.net;
#告诉浏览器有效期内只准用 https 访问
add_header Strict-Transport-Security max-age=15768000;
#永久重定向到 https 站点
return 301 https://$server_name$request_uri;
}
server {
#启用 https, 使用 http/2 协议, nginx 1.9.11 启用 http/2 会有bug, 已在 1.9.12 版本中修复.
listen 443 ssl http2;
server_name www.suncle.me suncle.net blog.suncle.net;
#告诉浏览器当前页面禁止被frame
add_header X-Frame-Options DENY;
#告诉浏览器不要猜测mime类型
add_header X-Content-Type-Options nosniff;
root /www/html;
#证书路径
ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
#私钥路径
ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
#安全链接可选的加密协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#可选的加密算法,顺序很重要,越靠前的优先级越高.
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
#在 SSLv3 或 TLSv1 握手过程一般使用客户端的首选算法,如果启用下面的配置,则会使用服务器端的首选算法.
ssl_prefer_server_ciphers on;
#储存SSL会话的缓存类型和大小
ssl_session_cache shared:SSL:10m;
#缓存有效期
ssl_session_timeout 60m;
}
}

以上配置文件nginx.conf中需要修改的字段主要有:

  • server_name www.suncle.me suncle.net blog.suncle.net;
  • ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
  • ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
listen 443 ssl http2;这一句中,如果Nginx编译安装的时候没有安装 ngx_http_v2_module模块,则需要先安装。或者不采用http2协议,直接 listen 443 ssl即可

保存配置,检查是否报错,重启Nginx

/usr/local/nginx/nginx -t
/usr/local/nginx/nginx -s reload

Nginx 的 SSL 证书到此配置完成。


参考

  1. CentOS 7 Nginx Let’ s Encrypt SSL 证书安装配置
  2. 开启Https之旅
  3. nginx+https+http2搭建(二)/)
  4. Linux Crontab使用总结

记得帮我点赞哦!

精心整理了计算机各个方向的从入门、进阶、实战的视频课程和电子书,按照目录合理分类,总能找到你需要的学习资料,还在等什么?快去关注下载吧!!!

resource-introduce

念念不忘,必有回响,小伙伴们帮我点个赞吧,非常感谢。

我是职场亮哥,YY高级软件工程师、四年工作经验,拒绝咸鱼争当龙头的斜杠程序员。

听我说,进步多,程序人生一把梭

如果有幸能帮到你,请帮我点个【赞】,给个关注,如果能顺带评论给个鼓励,将不胜感激。

职场亮哥文章列表:更多文章

wechat-platform-guide-attention

本人所有文章、回答都与版权保护平台有合作,著作权归职场亮哥所有,未经授权,转载必究!

版权声明
本文为[suncle]所创,转载请带上原文链接,感谢
https://segmentfault.com/a/1190000037768942

  1. [front end -- JavaScript] knowledge point (IV) -- memory leakage in the project (I)
  2. This mechanism in JS
  3. Vue 3.0 source code learning 1 --- rendering process of components
  4. Learning the realization of canvas and simple drawing
  5. gin里获取http请求过来的参数
  6. vue3的新特性
  7. Get the parameters from HTTP request in gin
  8. New features of vue3
  9. vue-cli 引入腾讯地图(最新 api,rocketmq原理面试
  10. Vue 学习笔记(3,免费Java高级工程师学习资源
  11. Vue 学习笔记(2,Java编程视频教程
  12. Vue cli introduces Tencent maps (the latest API, rocketmq)
  13. Vue learning notes (3, free Java senior engineer learning resources)
  14. Vue learning notes (2, Java programming video tutorial)
  15. 【Vue】—props属性
  16. 【Vue】—创建组件
  17. [Vue] - props attribute
  18. [Vue] - create component
  19. 浅谈vue响应式原理及发布订阅模式和观察者模式
  20. On Vue responsive principle, publish subscribe mode and observer mode
  21. 浅谈vue响应式原理及发布订阅模式和观察者模式
  22. On Vue responsive principle, publish subscribe mode and observer mode
  23. Xiaobai can understand it. It only takes 4 steps to solve the problem of Vue keep alive cache component
  24. Publish, subscribe and observer of design patterns
  25. Summary of common content added in ES6 + (II)
  26. No.8 Vue element admin learning (III) vuex learning and login method analysis
  27. Write a mini webpack project construction tool
  28. Shopping cart (front-end static page preparation)
  29. Introduction to the fluent platform
  30. Webpack5 cache
  31. The difference between drop-down box select option and datalist
  32. CSS review (III)
  33. Node.js学习笔记【七】
  34. Node.js learning notes [VII]
  35. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  36. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  37. 【JQuery框架,Java编程教程视频下载
  38. [jQuery framework, Java programming tutorial video download
  39. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  40. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  41. 【Vue,阿里P8大佬亲自教你
  42. 【Vue基础知识总结 5,字节跳动算法工程师面试经验
  43. [Vue, Ali P8 teaches you personally
  44. [Vue basic knowledge summary 5. Interview experience of byte beating Algorithm Engineer
  45. 【问题记录】- 谷歌浏览器 Html生成PDF
  46. [problem record] - PDF generated by Google browser HTML
  47. 【问题记录】- 谷歌浏览器 Html生成PDF
  48. [problem record] - PDF generated by Google browser HTML
  49. 【JavaScript】查漏补缺 —数组中reduce()方法
  50. [JavaScript] leak checking and defect filling - reduce() method in array
  51. 【重识 HTML (3),350道Java面试真题分享
  52. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  53. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  54. [re recognize HTML (3) and share 350 real Java interview questions
  55. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  56. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  57. 【重识 HTML ,nginx面试题阿里
  58. 【重识 HTML (4),ELK原来这么简单
  59. [re recognize HTML, nginx interview questions]
  60. [re recognize HTML (4). Elk is so simple