Nginx 配置 https (Let's Encryp
2018-09-06 本文已影响1人
萝卜日志
初衷
由于IOS在极力封杀http请求,所以抽空先把刚刚部署好的Web服务加上https支持。
使用90天免费并且可无限续签的 Let's Encrypt
Let's Encrypt是一个良心的CA,因为普通商业CA的价格对个人来说还是难以接受的。但它提供了90天的免费证书。
获取证书的方式也很简单,因为它提供了完全自动化的解决方案:
## 放置路径
mkdir /var/www/letsencrypt
sudo apt-get install certbot
sudo certbot certonly --webroot --agree-tos --no-eff-email --email yourname@163.com -w /var/www/letsencrypt -d app.airoubo.com
申请ok了。
配置Nginx
创建challenge目录:
sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
创建letsencrypt.conf文件并添加:/etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/www/letsencrypt;
}
创建ssl.conf文件并添加:/etc/nginx/snippets/ssl.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
修改主配置文件:
# the upstream component nginx needs to connect to
upstream django {
server unix:///data/django/rouboApi/rouboapi.scok; # for a file socket
#server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}
# configuration of the server
server {
# the port your site will be served on
listen 80;
# the domain name it will serve for
server_name app.airoubo.com; # substitute your machine's IP address or FQDN
include /etc/nginx/snippets/letsencrypt.conf;
charset utf-8;
# max upload size
client_max_body_size 75M; # adjust to taste
# Django media
#location /media {
# alias /path/to/your/mysite/media; # your Django project's media files - amend as required
#}
location /static {
alias /data/django/rouboApi/static; # your Django project's static files - amend as required
}
# Finally, send all non-media requests to the Django server.
location /roubo {
uwsgi_pass django;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
}
## https
server {
# the port your site will be served on
listen 443 ssl http2;
listen [::]:443 ssl http2;
# the domain name it will serve for
server_name app.airoubo.com; # substitute your machine's IP address or FQDN
include /etc/nginx/snippets/letsencrypt.conf;
charset utf-8;
ssl_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/app.airoubo.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
# max upload size
client_max_body_size 75M; # adjust to taste
# Django media
#location /media {
# alias /path/to/your/mysite/media; # your Django project's media files - amend as required
#}
location /static {
alias /data/django/rouboApi/static; # your Django project's static files - amend as required
}
# Finally, send all non-media requests to the Django server.
location /roubo {
uwsgi_pass django;
include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
}
}
重启nginx后,就可以使用https访问服务了。
自动续签
虽然有90天的期限,但是支持无限续签。所以我们只要定时续签就可以了。
使用上面的certbot工具,可以看下man certbot,它下面有一个renew参数用于更新证书。因为证书更新之后,我们需要重启nginx服务,刚好,它还有一个--renew-hook的参数,支持renew成功之后hook执行我指定的脚本。
我们在/etc/letsencrypt/renewhook.sh脚本中加入重启nginx的动作:
#!/bin/bash
service nginx restart
在root下增加crontab:
sudo crontab -e
设置每月的1号的8点钟执行更新:
00 8 1 * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
哔哔哔
关于CA证书分发、管理的等等的原理,有时间还要去了解下,虽然平时用的不多。Documentation - Let’s Encrypt - Free SSL/TLS Certificates
