Centos7 nginx configure let's encrypt SSL certificate

suncle 2020-11-09 11:30:21
centos7 centos nginx configure let


Let's-Encrypt

by http Site add https Support , You need to get it from a certification authority SSL/TLS certificate . There are two common free certificates :

  • Let's-Encrypt, This article will introduce ,Let's-Encrypt Dafa is good .
  • caddy, Native support HTTP/2, Automatically create Let’s Encrypt certificate , It's very easy to use .

install

yum install epel-release -y
yum install certbot -y

To configure

certbot certonly --webroot -w /www/html -d suncle.me -d www.suncle.me
  • --webroot Said to webroot mode , We don't choose standalone Pattern
  • -w /www/html Indicates that the site root directory is in /www/html
  • -d suncle.me -d www.suncle.me Expressed as @ The host and www The host generates a common Certificate

After following the prompt, the operation is successful , Tips :

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/suncle.me/fullchain.pem. Your cert will
expire on 2017-06-28. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

<!--more-->

Certificate auto update

Let’s Encrypt Only 3 It's valid for six months , So we need to update the certificate regularly .

It can be run :certbot renew --dry-run To test whether automatic generation works properly . If carried out correctly , We can update the certificate with the following command :

certbot renew 

If you want to achieve automatic renewal Certificate , Can use crontab perhaps systemd Execute the above update command regularly .Let’s Encrypt It's better to update it twice a day . Because the certificate will not be updated until it has expired , So even doing it twice a day doesn't make any difference .

# Every day 3:00 and 19:00 Click Update Certificate
0 3,19 * * * certbot renew

Specific execution time can refer to the following crontab Format changes :

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed

To configure Nginx SSL certificate

modify /usr/local/nginx/nginx.conf The documents are as follows ( It's better to back it up first )

# Nginx With root User start
user root;
# Nginx Number of processes opened
worker_processes 2;
events {
# Nginx Maximum number of connections
worker_connections 65535;
}
http {
# If there are wildcards in the path ,mime.types Multiple files can be configured
include mime.types;
# Default file type
default_type application/octet-stream;
# Log format
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
# Log access logs
access_log logs/access.log main;
# Turn on sendfile, Improve file transfer efficiency
sendfile on;
# Dead chain judgment : Timeout for client connections to remain active
keepalive_timeout 65;
# Set non secure connection to jump to secure connection permanently
server{
listen 80;
server_name www.suncle.me suncle.net blog.suncle.net;
# Tell the browser to use only during the validity period https visit
add_header Strict-Transport-Security max-age=15768000;
# Redirect to forever https Site
return 301 https://$server_name$request_uri;
}
server {
# Enable https, Use http/2 agreement , nginx 1.9.11 Enable http/2 There will be bug, Already in 1.9.12 Fixed in version .
listen 443 ssl http2;
server_name www.suncle.me suncle.net blog.suncle.net;
# Tell the browser that the current page is not allowed to be frame
add_header X-Frame-Options DENY;
# Tell the browser not to guess mime type
add_header X-Content-Type-Options nosniff;
root /www/html;
# The certificate path
ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
# Private key path
ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
# Secure link optional encryption protocol
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# Optional encryption algorithm , Order matters , The higher the priority is .
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
# stay SSLv3 or TLSv1 The handshake process generally uses the client's preferred algorithm , If you enable the following configuration , The preferred algorithm on the server side will be used .
ssl_prefer_server_ciphers on;
# Store SSL The cache type and size of the session
ssl_session_cache shared:SSL:10m;
# Cache lifetime
ssl_session_timeout 60m;
}
}

Configuration files above nginx.conf The fields that need to be modified are mainly :

  • server_name www.suncle.me suncle.net blog.suncle.net;
  • ssl_certificate /etc/letsencrypt/live/suncle.me/fullchain.pem;
  • ssl_certificate_key /etc/letsencrypt/live/suncle.me/privkey.pem;
listen 443 ssl http2; In this sentence , If Nginx It was not installed when compiling and installing ngx_http_v2_module modular , You need to install . Or not http2 agreement , direct listen 443 ssl that will do

Save configuration , Check for errors , restart Nginx

/usr/local/nginx/nginx -t
/usr/local/nginx/nginx -s reload

Nginx Of SSL This configuration completes the certificate .


Reference resources

  1. CentOS 7 Nginx Let’ s Encrypt SSL Certificate installation configuration
  2. Turn on Https The journey
  3. nginx+https+http2 build ( Two )/)
  4. Linux Crontab Use summary

Remember to give me some praise !

Carefully organized the computer in all directions from the entry 、 Advanced 、 Practical video courses and e-books , Classify according to the catalogue , Always find the learning materials you need , What are you waiting for ? Pay attention to downloads !!!

resource-introduce

Not forget for a moment , There must be an echo , Guys, please give me a compliment , Thank you very much .

I'm a bright brother in the workplace ,YY Senior software engineer 、 Four years working experience , The slash programmer who refuses to be the leader of salted fish .

Listen to me , More progress , Program life is a shuttle

If I'm lucky enough to help you , Please order one for me 【 Fabulous 】, Pay attention , If you can give me a little encouragement with your comments , Thank you very much .

A list of articles by Liang Ge in the workplace : More articles

wechat-platform-guide-attention

All my articles 、 The answers are all in cooperation with the copyright protection platform , The copyright belongs to brother Liang , unaccredited , Reprint must be investigated !

版权声明
本文为[suncle]所创,转载请带上原文链接,感谢

  1. [front end -- JavaScript] knowledge point (IV) -- memory leakage in the project (I)
  2. This mechanism in JS
  3. Vue 3.0 source code learning 1 --- rendering process of components
  4. Learning the realization of canvas and simple drawing
  5. gin里获取http请求过来的参数
  6. vue3的新特性
  7. Get the parameters from HTTP request in gin
  8. New features of vue3
  9. vue-cli 引入腾讯地图(最新 api,rocketmq原理面试
  10. Vue 学习笔记(3,免费Java高级工程师学习资源
  11. Vue 学习笔记(2,Java编程视频教程
  12. Vue cli introduces Tencent maps (the latest API, rocketmq)
  13. Vue learning notes (3, free Java senior engineer learning resources)
  14. Vue learning notes (2, Java programming video tutorial)
  15. 【Vue】—props属性
  16. 【Vue】—创建组件
  17. [Vue] - props attribute
  18. [Vue] - create component
  19. 浅谈vue响应式原理及发布订阅模式和观察者模式
  20. On Vue responsive principle, publish subscribe mode and observer mode
  21. 浅谈vue响应式原理及发布订阅模式和观察者模式
  22. On Vue responsive principle, publish subscribe mode and observer mode
  23. Xiaobai can understand it. It only takes 4 steps to solve the problem of Vue keep alive cache component
  24. Publish, subscribe and observer of design patterns
  25. Summary of common content added in ES6 + (II)
  26. No.8 Vue element admin learning (III) vuex learning and login method analysis
  27. Write a mini webpack project construction tool
  28. Shopping cart (front-end static page preparation)
  29. Introduction to the fluent platform
  30. Webpack5 cache
  31. The difference between drop-down box select option and datalist
  32. CSS review (III)
  33. Node.js学习笔记【七】
  34. Node.js learning notes [VII]
  35. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  36. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  37. 【JQuery框架,Java编程教程视频下载
  38. [jQuery framework, Java programming tutorial video download
  39. Vue Router根据后台数据加载不同的组件(思考-&gt;实现-&gt;不止于实现)
  40. Vue router loads different components according to background data (thinking - & gt; Implementation - & gt; (more than implementation)
  41. 【Vue,阿里P8大佬亲自教你
  42. 【Vue基础知识总结 5,字节跳动算法工程师面试经验
  43. [Vue, Ali P8 teaches you personally
  44. [Vue basic knowledge summary 5. Interview experience of byte beating Algorithm Engineer
  45. 【问题记录】- 谷歌浏览器 Html生成PDF
  46. [problem record] - PDF generated by Google browser HTML
  47. 【问题记录】- 谷歌浏览器 Html生成PDF
  48. [problem record] - PDF generated by Google browser HTML
  49. 【JavaScript】查漏补缺 —数组中reduce()方法
  50. [JavaScript] leak checking and defect filling - reduce() method in array
  51. 【重识 HTML (3),350道Java面试真题分享
  52. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  53. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  54. [re recognize HTML (3) and share 350 real Java interview questions
  55. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  56. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  57. 【重识 HTML ,nginx面试题阿里
  58. 【重识 HTML (4),ELK原来这么简单
  59. [re recognize HTML, nginx interview questions]
  60. [re recognize HTML (4). Elk is so simple