https:Let’s Encrypt

0 Nginx Let's Encrypt

参考How To Secure Nginx with Let's Encrypt on Ubuntu 16.04在ubuntu+Nginx上配置。


我将自己用到的步骤记于此,如有不明请参考原文。

1 安装 Let's Encrypt 软件

sudo apt-get update
sudo apt-get install letsencrypt

2 获取 SSL 证书

2.1 配置

编辑Nginx的网站配置文件,默认路径一般是/etc/nginx/sites-available/default

sudo vi /etc/nginx/sites-available/default

在server块中添加如下内容

location ~ /.well-known {
        allow all;
}

保存后退出 测试一下修改是否正确

sudo nginx -t

如果没错的话就重启Nginx

sudo systemctl restart nginx

假设你的网站根目录为webroot,比如我的是/var/www/html也就是wordpress的index.php所在的目录;然后你的域名是ztyii.comwww.ztyii.com,那么执行下列操作(自行替换路径和域名)

sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d ztyii.com -d www.ztyii.com

按照对话框的提示输入就好,随后会出现如下类似提示:

IMPORTANT NOTES:
 - If you lose your account credentials, you can recover through
   e-mails sent to sammy@digitalocean.com
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/ztyii.com/fullchain.pem. Your
   cert will expire on 2017-03-15. To obtain a new version of the
   certificate in the future, simply run Let's Encrypt again.
 - Your account credentials have been saved in your Let's Encrypt
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Let's
   Encrypt so making regular backups of this folder is ideal.
 - If like Let's Encrypt, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

表示成功。注意上述提示中含有Your certificate and chain have been saved at /etc/letsencrypt/live/ztyii.com/fullchain.pemwill expire on 2017-03-15分别表示你的pem文件路径和该次授权的截止日期,过后就需要自己重新激活了,也就是上面sudo letsencrypt certonly那一行代码。

2.2 证书文件

到此为止,你将获得如下的文件

  • cert.pem: 域名证书
  • chain.pem: Let's Encrypt 的链证书
  • fullchain.pem: 结合了 cert.pem 和 chain.pem
  • privkey.pem: 证书私钥

假设你的域名叫your_domain_name,这四个文件一般在路径/etc/letsencrypt/archive/your_domain_name下面。以我的为例,执行下列命令会看到这四个文件信息(其实是四个链接):

sudo ls -l /etc/letsencrypt/live/ztyii.com

2.3 生成强 Diffie-Hellman Group

为了安全性

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

3 在 Nginx 上配置 TLS/SSL

第一,在/etc/nginx/snippets目录下生成Nginx的snippet,为了很好的辨识文件作用,我们用ssl-作为前缀,后接你的域名并以.conf结尾:

sudo vi /etc/nginx/snippets/ssl-ztyii.com.conf

在这个文件中,需要指定ssl_certificatessl_certificate_key文件的路径,即在该文件中添加如下内容(注意修改路径为自己的):

ssl_certificate /etc/letsencrypt/live/ztyii.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ztyii.com/privkey.pem;

3.1 用强加密设置来创建 Snippet

sudo vi /etc/nginx/snippets/ssl-params.conf

文件中增加如下内容

# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

3.2 修改 Nginx 配置文件以使用 SSL

先备份

sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak

再修改

sudo vi /etc/nginx/sites-available/default

你的server块中一般显示如下:

server {
    listen 80 default_server;
    listen [::]:80 default_server;

    # SSL configuration

    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;

    . . .

照此修改(修改server_name为你的域名):

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name ztyii.com www.ztyiii.com;
    return 301 https://$server_name$request_uri;
}

    # SSL configuration

    # listen 443 ssl default_server;
    # listen [::]:443 ssl default_server;

    . . .

上面的操作将这个配置文件分割成两半了,剩下一半以下面的第二个server内容开头:

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name ztyii.com www.ztyii.com;
    return 301 https://$server_name$request_uri;
}

server {

    # SSL configuration

    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;
    include snippets/ssl-ztyii.com.conf;
    include snippets/ssl-params.conf;

4 防火墙

我没开,忽略之

5 重启 Nginx 服务

检查Nginx配置文件

sudo nginx -t

无误提示

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重启

sudo systemctl restart nginx

6 设置自动更新

6.1 单次更新

之前说过有有效期限的问题,如果时间到了,可以用

sudo letsencrypt renew

来更新。

6.2 自动更新

如果想一劳永逸,可以使用crontab

sudo vi /etc/crontab

在最后增加两行

0  0    * * 1   root    bash /usr/bin/letsencrypt renew >> /var/log/le-renew.log
5  0    * * 1   root    bash /bin/systemctl reload nginx

上面的两行作用分别是:每个星期一00:00重新获取一次权限,然后00:05重启一次nginx服务。 保存退出后重启cron服务:

sudo service cron restart

7 后记

因为之前都是http,所以会导致网站打开后提示“访问的网页不是完全安全”,查看后发现不安全的因素是之前上传的图片都是以http开头的,文章的内容里面都是引用的http的url:

  1. 在WP后台修改Setting中的WordPress Address (URL)和Site Address (URL)为https://...。WP会自动给你把所有上传的文件链接改为https开头(重写mod,如果修改后出现404参考链接);
  2. 到文章里面修改http的链接为https。

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.