头图

How to permanently use the free SSL certificate issued by Let's Encrypt and configure nginx to upgrade the website from insecure HTTP to secure HTTPS

大雀
中文

If your site has a strong demand for HTTPS-for security needs or a WeChat applet (HTTPS is required), and you don't want to spend a few thousand a year to purchase a paid SSL certificate, then use Let's Encrypt for free An SSL certificate may be a great choice. Let's talk about how to install and use Let's Encrypt and configure nginx to achieve automatic renewal for permanent free.
Let’s Encrypt

1. Preparation

Before installation, you need to open port 443

# 查看开放端口
firewall-cmd --zone=public --list-ports 
#80/tcp 3306/tcp
#没有443时,添加443端口
firewall-cmd --zone=public --add-port=443/tcp --permanent
#重启才能生效,添加完重启
firewall-cmd --reload
#再次查看开放端口,发现已经有了443,准备工作就完成了
firewall-cmd --zone=public --list-ports 
#80/tcp 3306/tcp 443/tcp

Two, installation and configuration

1. Install cerbot. Cerbot is the management client recommended by let's Encrypt, which can be automatically renewed

yum install certbot -y

2. Generate a certificate

2.1 Generated like this when you don’t know the root directory of your website

#先停用nginx
sudo nignx -s stop
#再生成证书,需要根据自己的域名修改
certbot certonly --standalone -d domain.com -d www.domian.com

2.2 Generated like this when the root directory of the website is known

#需要根据自己的域名修改,这里的根目录是 /var/www/domain
certbot certonly --webroot -w /var/www/domain -d domain.com -d www.domain.com

Not surprisingly, the certificate is generated, usually placed in the /etc/letsencrypt/live directory

3. Configure nginx

# 将listen 80部分按自己的域名做如下修改,去掉location / 及 location /api/ 等部分
    server {
        listen       80;
        listen       [::]:80;
        server_name www.domain.com domain.com;
        add_header Strict-Transport-Security max-age=15768000;
        return 301 https://$server_name$request_uri;  #重定向到https
    }

#增加一个listen 443,按自己域名做如下修改。将原listen 80内的 location / 及 location /api/ 等部分copy过来
  server {
    listen 443 ssl http2;
    server_name www.domain.com domain.com;
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    root /var/www/domain;
    ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:HIGH:!RC4-SHA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!CBC:!EDH:!kEDH:!PSK:!SRP:!kECDH;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 60m;

    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_set_header X-Nginx-Proxy true;
        proxy_cache_bypass $http_upgrade;
        proxy_pass http://nuxtapp; #反向代理nuxt
    }

    location /api/ {
        proxy_pass http://127.0.0.1:8000;
        proxy_set_header Host $host;
    }

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    error_page 404 /404.html;
    location = /404.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
  }

5. Restart nginx

sudo nginx -s reload

Refresh the page, https has worked
https生效了

6. There is still one step away. Let's Encrypt expires in 3 months by default. We need to set up the cerbot client to automatically update the certificate. Here we need to use crontab

# 终端输入 crontab -e
crontab -e
#输入i,进入插入模式,按如下格式写上更新命令,意思是每个月1号凌晨3点更新
0 0 3 * * certbot renew --force-renew --renew-hook "nginx -s reload"
#按住shfit,输入
:wq

OK, you're done! Original link: https://www.helloque.site/article/20

阅读 1.1k

全栈开发学习交流

35 声望
0 粉丝
0 条评论
你知道吗?

全栈开发学习交流

35 声望
0 粉丝
宣传栏