0 Nginx Let's Encrypt
参考How To Secure Nginx with Let's Encrypt on Ubuntu 16.04在ubuntu+Nginx上配置。
我将自己用到的步骤记于此,如有不明请参考原文。
1 安装 Let's Encrypt 软件
sudo apt-get update
sudo apt-get install letsencrypt
2 获取 SSL 证书
2.1 配置
编辑Nginx的网站配置文件,默认路径一般是/etc/nginx/sites-available/default
sudo vi /etc/nginx/sites-available/default
在server块中添加如下内容
location ~ /.well-known {
allow all;
}
保存后退出 测试一下修改是否正确
sudo nginx -t
如果没错的话就重启Nginx
sudo systemctl restart nginx
假设你的网站根目录为webroot
,比如我的是/var/www/html
也就是wordpress的index.php所在的目录;然后你的域名是ztyii.com
和www.ztyii.com
,那么执行下列操作(自行替换路径和域名)
sudo letsencrypt certonly -a webroot --webroot-path=/var/www/html -d ztyii.com -d www.ztyii.com
按照对话框的提示输入就好,随后会出现如下类似提示:
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to sammy@digitalocean.com
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/ztyii.com/fullchain.pem. Your
cert will expire on 2017-03-15. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
表示成功。注意上述提示中含有Your certificate and chain have been saved at /etc/letsencrypt/live/ztyii.com/fullchain.pem
和will expire on 2017-03-15
分别表示你的pem文件路径和该次授权的截止日期,过后就需要自己重新激活了,也就是上面sudo letsencrypt certonly
那一行代码。
2.2 证书文件
到此为止,你将获得如下的文件
- cert.pem: 域名证书
- chain.pem: Let's Encrypt 的链证书
- fullchain.pem: 结合了 cert.pem 和 chain.pem
- privkey.pem: 证书私钥
假设你的域名叫your_domain_name
,这四个文件一般在路径/etc/letsencrypt/archive/your_domain_name
下面。以我的为例,执行下列命令会看到这四个文件信息(其实是四个链接):
sudo ls -l /etc/letsencrypt/live/ztyii.com
2.3 生成强 Diffie-Hellman Group
为了安全性
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
3 在 Nginx 上配置 TLS/SSL
第一,在/etc/nginx/snippets
目录下生成Nginx的snippet,为了很好的辨识文件作用,我们用ssl-
作为前缀,后接你的域名并以.conf
结尾:
sudo vi /etc/nginx/snippets/ssl-ztyii.com.conf
在这个文件中,需要指定ssl_certificate
和ssl_certificate_key
文件的路径,即在该文件中添加如下内容(注意修改路径为自己的):
ssl_certificate /etc/letsencrypt/live/ztyii.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ztyii.com/privkey.pem;
3.1 用强加密设置来创建 Snippet
sudo vi /etc/nginx/snippets/ssl-params.conf
文件中增加如下内容
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now. You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
3.2 修改 Nginx 配置文件以使用 SSL
先备份
sudo cp /etc/nginx/sites-available/default /etc/nginx/sites-available/default.bak
再修改
sudo vi /etc/nginx/sites-available/default
你的server块中一般显示如下:
server {
listen 80 default_server;
listen [::]:80 default_server;
# SSL configuration
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
. . .
照此修改(修改server_name
为你的域名):
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ztyii.com www.ztyiii.com;
return 301 https://$server_name$request_uri;
}
# SSL configuration
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
. . .
上面的操作将这个配置文件分割成两半了,剩下一半以下面的第二个server内容开头:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name ztyii.com www.ztyii.com;
return 301 https://$server_name$request_uri;
}
server {
# SSL configuration
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
include snippets/ssl-ztyii.com.conf;
include snippets/ssl-params.conf;
4 防火墙
我没开,忽略之
5 重启 Nginx 服务
检查Nginx配置文件
sudo nginx -t
无误提示
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
重启
sudo systemctl restart nginx
6 设置自动更新
6.1 单次更新
之前说过有有效期限的问题,如果时间到了,可以用
sudo letsencrypt renew
来更新。
6.2 自动更新
如果想一劳永逸,可以使用crontab
sudo vi /etc/crontab
在最后增加两行
0 0 * * 1 root bash /usr/bin/letsencrypt renew >> /var/log/le-renew.log
5 0 * * 1 root bash /bin/systemctl reload nginx
上面的两行作用分别是:每个星期一00:00重新获取一次权限,然后00:05重启一次nginx服务。 保存退出后重启cron服务:
sudo service cron restart
7 后记
因为之前都是http,所以会导致网站打开后提示“访问的网页不是完全安全”,查看后发现不安全的因素是之前上传的图片都是以http开头的,文章的内容里面都是引用的http的url:
- 在WP后台修改Setting中的WordPress Address (URL)和Site Address (URL)为https://...。WP会自动给你把所有上传的文件链接改为https开头(重写mod,如果修改后出现404参考链接);
- 到文章里面修改http的链接为https。