Nginx部署Let’s Encrypt免费SSL证书详细教程

Nginx部署Let’s Encrypt免费SSL证书详细教程

免费的SSL证书现在有很多,今天以网站域名learnhard.cn为例,介绍部署Let's Encrypt免费SSL证书的方法

安装nginx:Web服务器

# 支持中文
yum install -y langpacks-zh_CN
yum install -y nginx

# 保证以后重启系统会自动启动nginx服务
systemctl enable nginx

安装根证书

我们采用 certbot 脚本方式申请 let's encript 证书,依次执行如下命令安装该工具:

yum install -y epel-release
yum install -y certbot

# 申请证书 ,会在网站目录下创建 `.well-known/acme-challenge/`目录作为验证方式一
certbot certonly --webroot -w /usr/local/nginx/www -d learnhard.cn -m xiaoyu0720@gmail.com --agree-tos

如果申请失败,可以手工申请, https://letsencrypt.osfipin.com/ ,可以使用DNS验证方式和HTTP验证方式。

如果手工申请成功后,可以再次执行证书下载命令:

certbot certonly --webroot -w /usr/local/nginx/www -d learnhard.cn -m xiaoyu0720@gmail.com --agree-tos

执行成功后,证书就保存在 /etc/letsencrypt/live/learnhard.cn/目录下,这里的learnhard.cn是你自己的域名名称。

证书是3个月有效期,可以在到期前14天内延期,自动延期方法当然是添加cron调度配置:

# 每两月的1日1点00分,执行延期命令。
00 1 1 */2 * /usr/bin/certbot renew --quiet && /usr/bin/systemctl restart nginx

增加安全性-完美前向加密

执行如下命令生成perfect forward secrecy (PFS)文件:

mkdir -p /etc/ssl/private/
openssl dhparam -out /etc/ssl/private/dhparam.pem 2048

完美前向加密(PFS)指的是长期使用的主密钥泄漏不会导致过去的会话密钥泄漏,即使有人监听了你的历史会话消息数据,也无法通过主密钥解密,保证了历史数据的安全性。

配置Nginx服务

证书得到后就可以修改nginx配置了。修改配置文件 /etc/nginx/nginx.conf 内容如下:

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  learnhard.cn;
        root         /usr/local/nginx/www/;
        real_ip_header X-Forwarded-For;
        real_ip_recursive  on;

        rewrite ^/ip  /ip break;
        rewrite ^/myip  /myip break;
        # rewrite ^(.*)$  https://$host$1 permanent;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        # autoindex off;

        location /myip {
            # 返回客户端IP地址检测
            return 200 "$remote_addr";
        }
        location /ip {
            # 客户端IP地址检测
            return 200 "real_ip: $remote_addr X-Forwarded-For: $proxy_add_x_forwarded_for\n";
        }
    }

# Settings for a TLS enabled server.

    server {
        listen       443 ssl http2 default_server;
        listen       [::]:443 ssl http2 default_server;
        server_name  learnhard.cn;
        root         /usr/local/nginx/www/;

        ssl_certificate "/etc/letsencrypt/live/learnhard.cn/fullchain.pem";
        ssl_certificate_key "/etc/letsencrypt/live/learnhard.cn/privkey.pem";

        ssl_dhparam /etc/ssl/private/dhparam.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        # ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:AES:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK';
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 10m;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location /{
            index index.php index.html index.htm;
            }
        }

    }

    ##
    # Nginx Bad Bot Blocker
    ##
    # include nginx-badbot-blocker/blacklist.conf;
    # include nginx-badbot-blocker/blockips.conf;
    server_names_hash_bucket_size 64;
    server_names_hash_max_size 4096;
    limit_req_zone $binary_remote_addr zone=flood:50m rate=90r/s;
    limit_conn_zone $binary_remote_addr zone=addr:50m;
}

重启nginx服务

最后,配置完成nginx后,执行重启nginx命令:

systemctl retart nginx

验证一下,访问https://www.learnhard.cn 是否已经可以成功访问了。


转载本文时请注明出处及本文链接地址Nginx部署Let’s Encrypt免费SSL证书详细教程

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注