4

启用https提高网站安全性

 2 years ago
source link: https://www.hi-roy.com/posts/%E5%90%AF%E7%94%A8https%E6%8F%90%E9%AB%98%E7%BD%91%E7%AB%99%E5%AE%89%E5%85%A8%E6%80%A7/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
neoserver,ios ssh client

启用https提高网站安全性

2016-06-23

细心的老读者可能发现,本站现在全面启用了https,为啥捏?因为好看!哇哈哈哈……

这里记录一下Centos6系统上的nginx配置方法。这里我使用 letsencrypt 提供的免费证书,首先访问https://certbot.eff.org/,然后根据你的实际情况选择webserver和操作系统,这里为了通用性,我选择“Unspecified Webserver on Other UNIX”。

首先下载脚本并添加执行权限:

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

停止nginx或其他占用80端口的服务后执行:./certbot-auto certonly

会弹出一个文本方式的UI界面,这里为了方便我选择第二项:

Automatically use a temporary webserver (standalone)

然后根据提示一步步的填写邮箱、域名(多个之间使用逗号或者空格分割)后看见下面的提示就代表成功了:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
   expire on 2016-09-21\. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to [email protected].
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

紧接着编辑nginx的配置文件:

server
    {
        listen 80 default;
        server_name _;
        rewrite ^(.*) https://dear-shen.com/ permanent;
    }
server
    {
        listen 443 ssl;
        server_name dear-shen.com www.dear-shen.com;

        ssl_certificate /etc/letsencrypt/live/dear-shen.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/dear-shen.com/privkey.pem;

        #省略部分配置....
    }

根据你的实际情况进行修改后,重启nginx服务即可。如果启用用了防火墙的话,注意开放443端口。

另外记住,这个证书只有90天的有效期,需要自己进行手动刷新。方法也很简单首先停止nginx等占用80端口的服务后执行:

./path/to/certbot-auto renew --dry-run

如果上述命令执行正常的话,也可以设定计划任务执行:

./path/to/certbot-auto renew --quiet --no-self-upgrade

report

Recommend

About Joyk


Aggregate valuable and interesting links.
Joyk means Joy of geeK