Nginx 服务器安装

          
  • 0
  • 1
  • 2
yum install epel-release yum update yum install nginx

使用

  • 启动 systemctl start nginx
  • 停止 systemctl stop nginx
  • 重启 systemctl restart nginx
  • 查看运行状态 systemctl status nginx
  • 开机启动 systemctl enable nginx

Nginx 配置

使用 certbot 生成证书

          
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
yum install certbot certbot certonly --webroot -w /usr/share/nginx/html/ -d xxxx.com #如果看到下列的输出,就证明证书已经生成成功了: IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/xxxx.com/fullchain.pem. Your cert will expire on 20XX-09-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le

编辑 nginx 配置文件

          
  • 0
vi /etc/nginx/nginx.conf
          
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
server { listen 80; server_name xxx.com; rewrite ^ https://$http_host$request_uri? permanent; # http 自动跳转到 https # root /home/www; #return 301 https://$http_host$request_uri; } server { listen 443 ssl; ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/xxx.com/chain.pem; keepalive_timeout 70; server_name xxx.com; # root /home/www; #禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击 server_tokens off; #如果是全站 HTTPS 并且不考虑 HTTP 的话,可以加入 HSTS 告诉你的浏览器本网站全站加密,并且强制用 HTTPS 访问 #add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; # ...... fastcgi_param HTTPS on; fastcgi_param HTTP_SCHEME https; access_log /var/log/nginx/xxx.com.access.log; error_log /var/log/nginx/xxx.com.error.log; }

重启 nginx

          
  • 0
systemctl restart nginx

重启 certbot 自动更新

模拟更新

          
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
sudo certbot renew --dry-run # 看到如下输出证明模拟更新成功 ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/your.domain.com.conf ------------------------------------------------------------------------------- ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/xxxx.com/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.)

实现自动化

          
  • 0
  • 1
  • 2
  • 3
  • 4
sudo crontab -e #添加配置,每周一半夜300分执行renew: 00 3 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

acme.sh

安装

          
  • 0
  • 1
  • 2
curl https://get.acme.sh | sh alias acme.sh=~/.acme.sh/acme.sh

创建证书

          
  • 0
acme.sh --issue -d xxx.com -d www.xxx.com --webroot /home/www/

拷贝证书

          
  • 0
  • 1
  • 2
  • 3
acme.sh --installcert -d xxx.com \ --key-file /etc/nginx/ssl/xxx.com.key \ --fullchain-file /etc/nginx/ssl/fullchain.cer \ --reloadcmd "service nginx force-reload"

vi /etc/nginx/nginx.conf

          
  • 0
  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
server { listen 80; server_name lanten.me www.lanten.me; return 301 https://$http_host$request_uri; } server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name lanten.me www.lanten.me; ssl_certificate "/etc/nginx/ssl/fullchain.cer"; ssl_certificate_key "/etc/nginx/ssl/lanten.me.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; root /home/www/; try_files $uri /index.html; }

acme.sh 会在证书到期前自动更新

end