centos+nginx+encrypt==>http-&

lnmp一键安装包
感谢这个大哥

开始安装https
假设运行环境为centos7.1,Web 服务器是 Nginx 1.12.0(因为我的生产环境是),当前工作目录为 /root

1.获取certbot客户端

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2.停止nginxyunx

service nginx stop

3.生成证书

./certbot-auto certonly --standalone --email 38020858@qq.com -d www.th1989.top

当前网站有多个域名时需在后面增加，例如

./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你的域名1` -d `你的
域名2`

4.查看生产的证书
tree /etc/letsencrypt/live/

5.将证书用于nginx
在nginx网站配置文件中增加

ssl_certificate /etc/letsencrypt/live/www.th1989.top/fullchain.pem;#证书位置
ssl_certificate_key /etc/letsencrypt/live/www.th1989.top/privkey.pem;# 证书位置

server的结果配置如下

server
    {
    listen 443 ssl;

        #listen [::]:80 default_server ipv6only=on;
        server_name th1989.top www.th1989.top;
        index index.html index.htm index.php;
        root  /home/wwwroot/default;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
        ssl_certificate /etc/letsencrypt/live/www.th1989.top/fullchain.pem;#证书位置
        ssl_certificate_key /etc/letsencrypt/live/www.th1989.top/privkey.pem;# 证书>位置

        include enable-php.conf;

        location /nginx_status
        {
            stub_status on;
            access_log   off;
        }

        location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
        {
            expires      30d;
        }

        location ~ .*\.(js|css)?$
        {
            expires      12h;
        }

        location ~ /.well-known {
            alias /var/www/th1989.top/.well-known;
        }

        location ~ /\.
        {
            deny all;
        }

        access_log  /home/wwwlogs/access.log;
    }

6.启动nginx
service nginx start
至此https配置完成

7.证书续签
Let’s Encrypt 生成的免费证书为3个月时间，但是我们可以无限次续签证书
./certbot-auto renew
强制提前更新证书
certbot-auto renew --force-renew --renew-hook "service nginx reload"

==============================================================

8.发现thinkphp5访问不到
thinkPHP5配置nginx环境无法打开（require(): open_basedir restriction in effect. File(/mnt/hgfs/root/tp5/thinkphp/start.php) is not within the allowed path(s)。

把玩一下tp5，结果怎么都无法访问，每次都是报500错误，我把错误提示都打开看到下面的错误

require(): open_basedir restriction in effect. File(/mnt/hgfs/root/tp5/thinkphp/start.php) is not within the allowed path(s): (/mnt/hgfs/root/tp5/public/:/tmp/:/proc/)?

1，我是php7 ，php.ini里面的open_basedir 是注释掉的

2，后来查找到时fastcgi的问题

3，修改fastcgi的配置文件 /usr/local/nginx/conf/fastcgi.conf ??

image

4,重启 service nginx restart?

5,搞定：

==============================================================
打开 enable-php.conf

387B7670-A55C-4E84-9CD4-B624196586A4.png

   set $fastcgi_script_name2 $fastcgi_script_name;  
        if ($fastcgi_script_name ~ "^(.+\.php)(/.+)$") {  
            set $fastcgi_script_name2 $1;  
            set $path_info $2;  
        }  
        fastcgi_param   PATH_INFO $path_info;  
        fastcgi_param   SCRIPT_FILENAME   $document_root$fastcgi_script_name2;  
        fastcgi_param   SCRIPT_NAME   $fastcgi_script_name2;  

==============================================================
nginx.conf文件中

 try_files $uri $uri/ /index.php/$uri&$args;

if (!-e $request_filename) {
 rewrite ^(.*)$ /index.php?s=/$1 last;
 break;
 }

 location ~ \.php(.*)$ {
 fastcgi_pass 127.0.0.1:9000;
 fastcgi_index index.php;
 fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
 fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
 fastcgi_param PATH_INFO $fastcgi_path_info;
 fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
 include fastcgi_params;
 }