HTTPS配置

一、https配置

1.0 环境

系统:CentOS7

[root@www ~]# cat /etc/redhat-release 
CentOS Linux release 7.4.1708 (Core)

nginx:nginx/1.12.2

域名:sample.com 这里以这个域名举例

1.1 安装Certbot Let's Encrypt Client

sudo yum install -y epel-release
sudo yum install -y certbot-nginx

1.2 配置nginx

# 安装nginx,如果未安装
sudo yum install nginx
# 启动nginx
sudo systemctl start nginx
# 配置nginx
sudo vi /etc/nginx/nginx.conf
# server_name sample.net www.sample.net;
# 验证nginx配置文件
sudo nginx -t
# 重启nginx
sudo systemctl reload nginx

1.3 配置防火墙

sudo firewall-cmd --add-service=http
sudo firewall-cmd --add-service=https
sudo firewall-cmd --runtime-to-permanent

1.4 获取证书

# 这个地方有坑,解决方案见参考文件中的ImportError的两个网页
sudo certbot --nginx -d sample.net -d www.sample.net

1.5 配置Diffie-Hellman参数

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
sudo vi /etc/nginx/nginx.conf
ssl_dhparam /etc/ssl/certs/dhparam.pem;
sudo nginx -t
sudo systemctl reload nginx

1.6 验证

查看/etc/nginx/nginx.conf

# http配置转发到https
server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  _;
    # Redirect non-https traffic to https
    if ($scheme != "https") {
      return 301 https://$host$request_uri;
    } # managed by Certbot
}

# https配置
server {
    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/h2o1k.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/h2o1k.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    server_name www.sample.net sample.net; # managed by Certbot
    
        root         /usr/local/nginx/html;
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
        location / {
        }
        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
}

验证nginx配置文件并重启nginx

访问http://example.com看是否重定向到https了

1.7 配置自动续费

sudo crontab -e
15 3 * * * /bin/certbot renew --quiet

二、参考

posted @ 2018-03-24 20:44  okokabcd  阅读(225)  评论(0编辑  收藏  举报