Let's-Encrypt
by http Site add https Support , You need to get it from a certification authority SSL/TLS certificate . There are two common free certificates :
- Let's-Encrypt, This article will introduce ,Let's-Encrypt Dafa is good .
- caddy, Native support HTTP/2, Automatically create Let’s Encrypt certificate , It's very easy to use .
install
yum install epel-release -y
yum install certbot -y
To configure
certbot certonly --webroot -w /www/html -d suncle.me -d www.suncle.me
--webrootSaid to webroot mode , We don't choose standalone Pattern-w /www/htmlIndicates that the site root directory is in /www/html-d suncle.me -d www.suncle.meExpressed as @ The host and www The host generates a common Certificate
After following the prompt, the operation is successful , Tips :
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/suncle.me/fullchain.pem. Your cert will
expire on 2017-06-28. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
Certificate auto update
Let’s Encrypt Only 3 It's valid for six months , So we need to update the certificate regularly .
It can be run :certbot renew --dry-run To test whether automatic generation works properly . If carried out correctly , We can update the certificate with the following command :
certbot renew
If you want to achieve automatic renewal Certificate , Can use crontab perhaps systemd Execute the above update command regularly .Let’s Encrypt It's better to update it twice a day . Because the certificate will not be updated until it has expired , So even doing it twice a day doesn't make any difference .
# Every day 3:00 and 19:00 Click Update Certificate
0 3,19 * * * certbot renew
Specific execution time can refer to the following crontab Format changes :
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
To configure Nginx SSL certificate
modify /usr/local/nginx/nginx.conf The documents are as follows ( It's better to back it up first )
# Nginx With root User start
user root;
# Nginx Number of processes opened
worker_processes 2;
events {
# Nginx Maximum number of connections
worker_connections 65535;
}
http {
# If there are wildcards in the path ,mime.types Multiple files can be configured
include mime.types;
# Default file type
default_type application/octet-stream;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Log access logs
access_log logs/access.log main;
# Turn on sendfile, Improve file transfer efficiency
sendfile on;
# Dead chain judgment : Timeout for client connections to remain active
keepalive_timeout 65;
# Set non secure connection to jump to secure connection permanently
server{
listen 80;
server_name www.suncle.me suncle.net blog.suncle.net;
# Tell the browser to use only during the validity period https visit
add_header Strict-Transport-Security max-age=15768000;
# Redirect to forever https Site
return 301 https://$server_name$request_uri;
}
server {
# Enable https, Use http/2 agreement , nginx 1.9.11 Enable http/2 There will be bug, Already in 1.9.12 Fixed in version .
listen 443 ssl http2;
server_name www.suncle.me suncle.net blog.suncle.net;
# Tell the browser that the current page is not allowed to be frame
add_header X-Frame-Options DENY;
# Tell the browser not to guess mime type
add_header X-Content-Type-Options nosniff;
root /www/html;
# The certificate path
ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
# Private key path
ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
# Secure link optional encryption protocol
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Optional encryption algorithm , Order matters , The higher the priority is .
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
# stay SSLv3 or TLSv1 The handshake process generally uses the client's preferred algorithm , If you enable the following configuration , The preferred algorithm on the server side will be used .
ssl_prefer_server_ciphers on;
# Store SSL The cache type and size of the session
ssl_session_cache shared:SSL:10m;
# Cache lifetime
ssl_session_timeout 60m;
}
}
Configuration files above nginx.conf The fields that need to be modified are mainly :
- server_name www.suncle.me suncle.net blog.suncle.net;
- ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
listen 443 ssl http2;In this sentence , If Nginx It was not installed when compiling and installingngx_http_v2_modulemodular , You need to install . Or not http2 agreement , directlisten 443 sslthat will do
Save configuration , Check for errors , restart Nginx
/usr/local/nginx/nginx -t
/usr/local/nginx/nginx -s reload
Nginx Of SSL This configuration completes the certificate .
Reference resources
- CentOS 7 Nginx Let’ s Encrypt SSL Certificate installation configuration
- Turn on Https The journey
- nginx+https+http2 build ( Two )
- Linux Crontab Use summary
Remember to give me some praise !
Carefully organized the computer in all directions from the entry 、 Advanced 、 Practical video courses and e-books , Classify according to the catalogue , Always find the learning materials you need , What are you waiting for ? Pay attention to downloads !!!
Not forget for a moment , There must be an echo , Guys, please give me a compliment , Thank you very much .
I'm a bright brother in the workplace ,YY Senior software engineer 、 Four years working experience , The slash programmer who refuses to be the leader of salted fish .
Listen to me , More progress , Program life is a shuttle
If I'm lucky enough to help you , Please order one for me 【 Fabulous 】, Pay attention , If you can give me a little encouragement with your comments , Thank you very much .
A list of articles by Liang Ge in the workplace : More articles
All my articles 、 The answers are all in cooperation with the copyright protection platform , The copyright belongs to brother Liang , unaccredited , Reprint must be investigated !