LANTEN

centOS - Nginx 服务器配置 https

2018-02-11

Nginx 服务器安装

1
2
3
yum install epel-release
yum update
yum install nginx

使用

启动 systemctl start nginx
停止 systemctl stop nginx
重启 systemctl restart nginx
查看运行状态 systemctl status nginx
开机启动 systemctl enable nginx


Nginx 配置 (引用自: jrainlau的文章)

使用 certbot 生成证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

yum install certbot
certbot certonly --webroot -w /usr/share/nginx/html/ -d xxxx.com


#如果看到下列的输出,就证明证书已经生成成功了:

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert
will expire on 20XX-09-23. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

编辑 nginx 配置文件

1
vi /etc/nginx/nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
server {
listen 80;
server_name xxx.com;
rewrite ^ https://$http_host$request_uri? permanent; # http 自动跳转到 https
# root /home/www;
#return 301 https://$http_host$request_uri;
}

server {
listen 443 ssl;

ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/chain.pem;
keepalive_timeout 70;
server_name xxx.com;
# root /home/www;

#禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击
server_tokens off;
#如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问
#add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
# ......
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;

access_log /var/log/nginx/xxx.com.access.log;
error_log /var/log/nginx/xxx.com.error.log;
}

重启 nginx

1
systemctl restart nginx

重启 certbot 自动更新

模拟更新

1
2
3
4
5
6
7
8
9
10
11
12
13

sudo certbot renew --dry-run
# 看到如下输出证明模拟更新成功
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/your.domain.com.conf
-------------------------------------------------------------------------------
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/xxxx.com/fullchain.pem (success)
** DRY RUN: simulating 'certbot renew' close to cert expiry
** (The test certificates above have not been saved.)

实现自动化

1
2
3
4
5
sudo crontab -e

#添加配置,每周一半夜3点00分执行renew:

00 3 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

end

Tags: centOS

扫描二维码,分享此文章