Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

📌 云主机:nginx https 配置 #2

Open
meishaoming opened this issue Mar 23, 2018 · 1 comment
Open

📌 云主机:nginx https 配置 #2

meishaoming opened this issue Mar 23, 2018 · 1 comment
Labels
技术笔记

Comments

@meishaoming
Copy link
Owner

meishaoming commented Mar 23, 2018
edited
Loading

云主机:nginx https 配置

接上一篇 云主机:用户登陆配置

配置目标:

  • https 证书,证书自动更新
  • nginx 作反向代理,连接 nodejs 后端程序

安装 nginx

使用 yum info nginx 查看到仓库源里的 nginx 版本是 1.12.2,最新稳定版。就安装这一个。

$ sudo yum install -y nginx

去阿里云的控制台,将这个主机实例的 80 端口和 433 端口打开。

使能 nginx 服务,启动:

$ sudo systemctl enable nginx
$ sudo systemctl start nginx

此时,在我们本机的浏览器就可以访问主机的公网 ip 地址了。得到的结果是 nginx 的欢迎页:

证明 nginx 安装成功。

为域名生成证书

我们希望全站走 HTTPS。使用 Let’s Encrypt 。有一套工具放在 [github][https://github.com/certbot/certbot] 上。

我们先在云主机上安装 git:

$ sudo yum install -y git

下载 letencrypt 工具:

$ sudo git clone --depth=1 https://github.com/certbot/certbot.git /opt/letsencrypt

先停止 nginx 服务,再生成证书:

$ sudo systemctl stop nginx
$ cd /opt/letsencrypt/
$ ./certbot-auto certonly --standalone

它会安装 python 环境和一些信赖包。有三个交互操作:

  1. Is this ok [y/d/N]: y 输入 y 确认安装
  2. Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): 输入自己的邮箱地址
  3. (A)gree/(C)ancel: 输入 A,同意
  4. (Y)es/(N)o: 输入 Y 确认
  5. Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel): 输入要部署 HTTPS 的域名

最后得到结果:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/dev.fmtech.me/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/dev.fmtech.me/privkey.pem
   Your cert will expire on 2018-06-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

生成的证书存放在 /etc/letsencrypt/live/dev.fmtech.me/ 目录下。

SSL 配置文件

先生成一个 dhparam.pem 文件,用于 HTTPS 中的密钥交换。

$ sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

这一步比较耗时。

创建 SSL 配置文件,其中会指定 dhparam.pem 的位置。

$ sudo mkdir -p /etc/nginx/snippets
$ sudo vim /etc/nginx/snippets/ssl-params.conf

在 /etc/nginx/snippets/ssl-params.conf 文件中添加如下内容:

# See https://cipherli.st/ for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 119.29.29.29 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

# Add our strong Diffie-Hellman group
ssl_dhparam /etc/ssl/certs/dhparam.pem;

nginx 配置 HTTPS

注释掉 /etc/nginx/nginx.conf 中的 80 端口默认配置。

/etc/nginx/conf.d/ 创建我们的配置:

$ sudo vim /etc/nginx/conf.d/default.conf

内容如下:

# HTTP — redirect all traffic to HTTPS
server {
    listen 80;
    listen [::]:80 default_server ipv6only=on;
    return 301 https://$host$request_uri;
}

# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name dev.fmtech.me;
    root /usr/share/nginx/html;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/dev.fmtech.me/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/dev.fmtech.me/privkey.pem;

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
    }
    error_page 404 /404.html;
    location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
    }
}

这个配置的第一段,是把所有 HTTP 请求都转发给同一域名的 HTTPS。

第二段处理 HTTPS 请求。测试一下配置文件是否正确:

$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

重启 nginx 服务:

sudo systemctl reload nginx

在本地机器浏览器里访问:dev.fmtech.me,会自动跳转到 https://dev.fmtech.me/,说明配置成功。

ssllabs 里对本域名作个 SSL 安全测试。得到 A+ 则说明配置成功了。

证书自动更新

Let’s Encrypt 好在免费,但每个证书的有效其只有 90 天,快过期时执行下面的命令即可更新:

$ /opt/letsencrypt/certbot-auto renew

该命令会检查是否有必要更新证书。只有在快过期时才会真正执行更新。

使用 cron 工具来让这个检查工作定期自动执行,这里每周一凌晨一点执行一次,并于 5 分钟后重启 nginx:

$ sudo crontab -e

添加两行:

0 1 * * 1 /opt/letsencrypt/certbot-auto --no-self-upgrade renew --pre-hook "nginx -s quit" --post-hook "systemctl start nginx"

cron 的配置保存于 /var/spool/cron/root。

重启 crond 服务:

$ sudo systemctl reload crond

参考
@meishaoming meishaoming changed the title 云主机:nginx https 配置 📌 云主机:nginx https 配置 Mar 23, 2018
@meishaoming meishaoming mentioned this issue Mar 23, 2018
Open
@meishaoming
Copy link
Owner Author

meishaoming commented Sep 21, 2018
edited
Loading

遇到这个问题:

image

网上搜到解决办法:

https://stackoverflow.com/a/46415630

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
技术笔记
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@meishaoming