SSL部署

1.申请https证书

  1. certbot certonly --manual -d *.liuwenwen.net --agree-tos --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
  1. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  2. Please deploy a DNS TXT record under the name:
  4. _acme-challenge.liuwenwen.net.
  6. with the following value:
  8. d5RIrmT_mwj-Kp1qYYY1klzcCzqwcKBjYCnkM4B2BHc
  10. Before continuing, verify the TXT record has been deployed. Depending on the DNS
  11. provider, this may take some time, from a few seconds to multiple minutes. You can
  12. check if it has finished deploying with aid of online tools, such as the Google
  13. Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.liuwenwen.net.
  14. Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
  15. value(s) you've just added.
  17. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  18. Press Enter to Continue
  20. Successfully received certificate.
  21. Certificate is saved at: /etc/letsencrypt/live/liuwenwen.net/fullchain.pem
  22. Key is saved at:         /etc/letsencrypt/live/liuwenwen.net/privkey.pem
  23. This certificate expires on 2021-12-09.
  24. These files will be updated when the certificate renews.
  26. NEXT STEPS:
  27. - This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.
  29. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
  30. If you like Certbot, please consider supporting our work by:
  31.  * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
  32.  * Donating to EFF:                    https://eff.org/donate-le
  33. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2.重命名https证书

  1. root@hongkong:/etc/pki/nginx# ls -l
  2. total 12
  3. -rw-r--r-- 1 root root 5592 Sep 10 21:50 fullchain.crt
  4. -rw-r--r-- 1 root root 1705 Sep 10 21:51 privkey.key

3.配置站点信息

  1. ##
  2. # You should look at the following URL's in order to grasp a solid understanding
  3. # of Nginx configuration files in order to fully unleash the power of Nginx.
  4. # https://www.nginx.com/resources/wiki/start/
  5. # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
  6. # https://wiki.debian.org/Nginx/DirectoryStructure
  7. #
  8. # In most cases, administrators will remove this file from sites-enabled/ and
  9. # leave it as reference inside of sites-available where it will continue to be
  10. # updated by the nginx packaging team.
  11. #
  12. # This file will automatically load configuration files provided by other
  13. # applications, such as Drupal or Wordpress. These applications will be made
  14. # available underneath a path with that package name, such as /drupal8.
  15. #
  16. # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
  17. ##
  19. # Default server configuration
  20. #
  21. server {
  22.         listen 80 default_server;
  23.         listen [::]:80 default_server;
  25.         # SSL configuration
  26.         #
  27.         # listen 443 ssl default_server;
  28.         # listen [::]:443 ssl default_server;
  29.         #
  30.         # Note: You should disable gzip for SSL traffic.
  31.         # See: https://bugs.debian.org/773332
  32.         #
  33.         # Read up on ssl_ciphers to ensure a secure configuration.
  34.         # See: https://bugs.debian.org/765782
  35.         #
  36.         # Self signed certs generated by the ssl-cert package
  37.         # Don't use them in a production server!
  38.         #
  39.         # include snippets/snakeoil.conf;
  41.         root /var/www/html;
  43.         # Add index.php to the list if you are using PHP
  44.         index index.html index.htm index.nginx-debian.html;
  46.         server_name _;
  48.         rewrite ^(.*)$ https://$host$1 permanent;
  50.         # location / {
  51.                 # First attempt to serve request as file, then
  52.                 # as directory, then fall back to displaying a 404.
  53.                 # try_files $uri $uri/ =404;
  54.         # }
  57.         # pass PHP scripts to FastCGI server
  58.         #
  59.         #location ~ \.php$ {
  60.         #       include snippets/fastcgi-php.conf;
  61.         #
  62.         #       # With php-fpm (or other unix sockets):
  63.         #       fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
  64.         #       # With php-cgi (or other tcp sockets):
  65.         #       fastcgi_pass 127.0.0.1:9000;
  66.         #}
  68.         # deny access to .htaccess files, if Apache's document root
  69.         # concurs with nginx's one
  70.         #
  71.         #location ~ /\.ht {
  72.         #       deny all;
  73.         #}
  74. }
  76. server {
  77.         # listen 80 default_server;
  78.         # listen [::]:80 default_server;
  80.         # SSL configuration
  81.         #
  82.         listen 443 ssl default_server;
  83.         listen [::]:443 ssl default_server;
  85.         ssl_certificate /etc/pki/nginx/fullchain.crt;
  86.         ssl_certificate_key /etc/pki/nginx/privkey.key;
  88.         #
  89.         # Note: You should disable gzip for SSL traffic.
  90.         # See: https://bugs.debian.org/773332
  91.         #
  92.         # Read up on ssl_ciphers to ensure a secure configuration.
  93.         # See: https://bugs.debian.org/765782
  94.         #
  95.         # Self signed certs generated by the ssl-cert package
  96.         # Don't use them in a production server!
  97.         #
  98.         # include snippets/snakeoil.conf;
  100.         root /var/www/html;
  102.         # Add index.php to the list if you are using PHP
  103.         index index.html index.htm index.nginx-debian.html;
  105.         server_name _;
  107.         location / {
  108.                 # First attempt to serve request as file, then
  109.                 # as directory, then fall back to displaying a 404.
  110.                 try_files $uri $uri/ =404;
  111.         }
  114.         # pass PHP scripts to FastCGI server
  115.         #
  116.         #location ~ \.php$ {
  117.         #       include snippets/fastcgi-php.conf;
  118.         #
  119.         #       # With php-fpm (or other unix sockets):
  120.         #       fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
  121.         #       # With php-cgi (or other tcp sockets):
  122.         #       fastcgi_pass 127.0.0.1:9000;
  123.         #}
  125.         # deny access to .htaccess files, if Apache's document root
  126.         # concurs with nginx's one
  127.         #
  128.         #location ~ /\.ht {
  129.         #       deny all;
  130.         #}
  131. }
  133. # Virtual Host configuration for example.com
  134. #
  135. # You can move that to a different file under sites-available/ and symlink that
  136. # to sites-enabled/ to enable it.
  137. #
  138. #server {
  139. #       listen 80;
  140. #       listen [::]:80;
  141. #
  142. #       server_name example.com;
  143. #
  144. #       root /var/www/example.com;
  145. #       index index.html;
  146. #
  147. #       location / {
  148. #               try_files $uri $uri/ =404;
  149. #       }
  150. #}