前面做个人服务器需要用到Nginx转发tomcat的网页服务,然后顺带给服务器加上了SSL。
服务器是——nginx反向代理+tomcat作为web服务器——这样的体系架构。
第一步使用Let's Encrypt 生成相关秘钥文件和证书
本人服务器系统为Ubuntu 16.04,其他的相似发行版有的会有少许出入
首先安装certbot软件
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot
后面的内容将基于nginx进行,如果没有安装nginx,请查看我的其他博客内容
sudo vim /etc/nginx/sites-available/default
添加如下内容
location ~ /.well-known {
allow all;
}
检查配置语法错误并重启nginx服务:
sudo nginx -t
sudo systemctl restart nginx
下面将生成秘钥证书:如果这是第一次运行certbot
,系统将提示输入电子邮件地址并同意服务条款。进程是否成功以及证书的存储位置:
sudo certbot certonly --webroot --webroot-path=/var/www/html -d example.com -d www.example.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/example.com/fullchain.pem. Your cert
will expire on 2017-07-26. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you lose your account credentials, you can recover through
e-mails sent to sammy@example.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
进程是否成功以及证书的存储位置如上所示,需要记录证书的路径和到期日期。
防火墙注意:如果你收到这样的错误Failed to connect to host for DVSNI challenge
,你的服务器的防火墙,可能需要配置为允许TCP端口的流量80
和443
。
证书文件
获得证书后,您将拥有以下PEM编码文件:
- cert.pem:域名证书
- chain.pem:加密连锁证书
- fullchain.pem:
cert.pem
并chain.pem
合并 - privkey.pem:证书的私钥
您必须知道刚刚创建的证书文件的位置,以便您可以在Web服务器配置中使用它们。文件本身被放在一个子目录中/etc/letsencrypt/archive
。但是,Certbot会创建与目录中最新证书文件的符号链接。因为链接将始终指向最新的证书文件,所以这是您应该用来引用证书文件的路径。/etc/letsencrypt/live/your_domain_name
您可以通过运行此命令来检查文件是否存在(用你的域名替换掉your_domain_name):
sudo ls -l /etc/letsencrypt/live/your_domain_name
输出应该是前面提到的四个证书文件。稍后,您将配置您的Web服务器fullchain.pem
作为证书文件以及privkey.pem
证书密钥文件。
以下为官方建议,没有试过:
为了进一步提高安全性,您还应该生成一个强大的Diffie-Hellman组。要生成2048位组,请使用以下命令:
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
这可能需要几分钟的时间,但完成后您将拥有一个强大的DH组/etc/ssl/certs/dhparam.pem
。
我的nginx配置文件如下:
##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
#
# Generally, you will want to move this file somewhere, and start with a clean
# file but keep this around for reference. Or just disable in sites-enabled.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
#
server {
listen 80;
server_name servername;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
# listen [::]:80 default_server;
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
ssl on;
ssl_certificate /etc/letsencrypt/live/your_domain_name/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your_domain_name/privkey.pem;
root /opt/tomcat/webapps/servername;
# Add index.php to the list if you are using PHP
server_name servername;
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8080/servername/;
}
location ~ /.well-known {
allow all;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# include snippets/fastcgi-php.conf;
#
# # With php7.0-cgi alone:
# fastcgi_pass 127.0.0.1:9000;
# # With php7.0-fpm:
# fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# Virtual Host configuration for example.com
#
# You can move that to a different file under sites-available/ and symlink that
# to sites-enabled/ to enable it.
#
#server {
# listen 80;
# listen [::]:80;
#
# server_name example.com;
#
# root /var/www/example.com;
# index index.html;
#
# location / {
# try_files $uri $uri/ =404;
# }
#}
然后再次执行nginx配置文件的测试命令(反正我是遇到问题反复了好几次,建议每次修改后都可以检查一下):
sudo nginx -t
执行测试并通guo。至此,外部对本服务器可以发起https请求了,nginx会将该请求转发至后台tomcat的8080端口。