給自己的網站搞上免費HTTPS

背景

租了ESC和域名, 跑了3個小網站和2個服務, 但打開網站時總提示不安全(即http)
用Nginx做的代理, 跑在Debian 9上
搜羅了下https證書供應商, 大都收費或有免費試用期, 個人小網站不值得用他們
最終選了certbot來獲取Let’s Encrypt證書

Certbot 介紹

• Certbot是Electronic Frontier Foundation(EFF)旗下的一個專案，EFF是一家501(c)3非營利組織，總部設在加州舊金山，致力于保護數字隱私、言論自由和創新，

• Certbot是一個免費的開源軟體工具，可以在網站上自動使用Let’s Encrypt(提供TLS證書的非盈利性證書頒發機構)證書來啟用HTTPS

安裝方法(debian/ubuntu)為例

• 借助snap(一款類似apt-get的工具)

  $ sudo apt update
  $ sudo apt install snapd
  $ sudo snap install core; sudo snap refresh core   # 更新至最新
  

  • 其他版本的Linux請參閱官方指南

• 安裝certbot

  $ sudo snap install --classic certbot
  $ sudo ln -s /snap/bin/certbot /usr/bin/certbot    # 加入到命令列
  $ sudo snap set certbot trust-plugin-with-root=ok  # 確認插件包含級別,可以略過
  

生成證書

我的情況是Nginx做代理, 多個二級域名分開配置, 即在 /etc/nginx/nginx.conf中只配置公共選項, 非公共的在/etc/nginx/sites-available/目錄下面

1. 注釋掉nginx.conf 關于 ssl_certificate 和 ssl_certificate_key ---- 沒有就略過

2. sites-available下配置好server并設定軟連接到sites-enabled ---- 非常重要, certbot會獲取里面的配置

   # 如 mock.z417.com 的配置
   $ sudo ln -s /etc/nginx/sites-available/mock /etc/nginx/sites-enabled/
   

   • 我的mock是這么配置的, 請結合實際修改

   server {
        listen 80;
        server_name mock.z417.com;
        return 301 https://$server_name:443$request_uri;
   }
   
   server {
        charset utf-8;
        server_name mock.z417.com;
        access_log /var/log/nginx/mock_access.log main;
   
        listen 443 ssl http2;
   
        location ~*^.+$ {
              proxy_pass http://127.0.0.1:5000;
              proxy_set_header Host $host;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection upgrade;
              proxy_set_header Accept-Encoding gzip;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
   }
   

3. 重啟nginx且確認未報錯

   $ sudo systemctl restart nginx
   

4. 洗掉certbot原來的證書資料 --- 沒有就略過

   $ sudo rm -rf /etc/letsencrypt
   

5. 開始制作證書

   $ sudo certbot certonly --nginx
   

   • 會依次提示輸入"郵箱"; "A": 同意協議; "N": 是否接收郵件通知; "回車": 給所有域名配置證書

   • 執行完會提示你證書有效期只有90天, 沒關系, 后面我們設定定時任務, 幫我們自動更新

6. 檢查是否成功生成

   $ sudo ls /etc/letsencrypt/live/z417.com    # z417.com 改成你自己的域名
   cert.pem  chain.pem  fullchain.pem  privkey.pem  README
   

使用證書

1. 配置/etc/nginx/nign.conf, 如我的就配置成了下面這樣t

   • 注意ssl_certificate和ssl_certificate_key配置成自己的路徑,其他可以復制

   user www-data;
   worker_processes auto;
   worker_rlimit_nofile 51200;
   
   error_log  /var/log/nginx/error.log warn;
   pid /run/nginx.pid;
   include /etc/nginx/modules-enabled/*.conf;
   
   events {
        worker_connections 768;
        use epoll;
        multi_accept on;
   }
   
   http {
   
        ##
        # Basic Settings
        ##
        client_body_buffer_size 32k;
        client_header_buffer_size 2k;
        client_max_body_size 2m;
   
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;
   
        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
   
        limit_req_zone $binary_remote_addr zone=one:10m rate=30r/s;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;
   
        ##
        # SSL Settings
        ##
   
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
   
        ssl_certificate /etc/letsencrypt/live/z417.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/z417.com/privkey.pem;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ssl_session_tickets off;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
   
        ##
        # header Settings
        ##
   
        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
        add_header X-Xss-Protection 1;
        add_header X-Content-Type-Options nosniff;
        # add_header X-Frame-Options DENY;
   
        add_header Access-Control-Allow-Origin *;
        add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
        add_header Access-Control-Allow-Headers 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
        add_header Access-Control-Allow-Credentials true;
        add_header Access-Control-Max-Age 86400;
   
        ##
        # Logging Settings
        ##
        log_not_found off;
        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;
   
        ##
        # Gzip Settings
        ##
   
        gzip on;
        gzip_disable "msie6";
   
        gzip_vary on;
        gzip_min_length  1k;
        # gzip_proxied any;
        gzip_comp_level 2;
        gzip_buffers 16 8k;
        gzip_http_version 1.0;
        gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
   
        ##
        # Virtual Host Configs
        ##
   
        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
   }
   

2. 測驗nginx配置是否有錯并加載配置

   $ sudo nginx -t                    # 檢查配置是否有效
   $ sudo systemctl reload nginx      # 重新加載nginx配置, 或用restart也行
   

定時任務更新證書

$ sudo crontab -e
0 */12 * * * certbot renew --quiet --renew-hook "/etc/init.d/nginx reload"

標籤：Linux

上一篇：Windows 添加nginx到服務

下一篇：ubuntu16.04配置samba解決linux的svn使用舒適問題