by Karan Thakkar
由Karan Thakkar
使用Let's Encrypt Certbot在您的Amazon EC2 NGINX盒子上获取HTTPS (Using the Let’s Encrypt Certbot to get HTTPS on your Amazon EC2 NGINX box)
Let’s Encrypt is a new Certificate Authority which provides free SSL certificates (up to a certain limit per week). It came out of beta around a month back and is supported by a wide array of browsers.
让我们加密是一个新的证书颁发机构 ,它提供免费的SSL证书(每周有一定限制)。 它大约一个月前推出了beta版,得到了众多浏览器的支持 。
Certbot is the official Let’s Encrypt client, developed by the Electronic Frontier Foundation. It makes automatically fetching and deploying SSL/TLS certificates for your web server a relatively straight forward process.
Certbot是由电子前沿基金会开发的官方“加密”客户端。 它使自动为Web服务器获取和部署SSL / TLS证书成为一个相对简单的过程。
Lets get started.
让我们开始吧。
第1步 (Step #1)
Make sure that you have opened up ports 80 (HTTP) and 443 (HTTPS) in your instance Security Group to public. Certbot will use this to establish connections while generating your certificates.
确保已将实例安全组中的端口80(HTTP)和443(HTTPS)开放给公众。 Certbot将在生成证书时使用它来建立连接。
Note that I spent far too much time to figure out why I couldn’t generate a certificate, while the only issue was that I hadn’t opened up port 443 in my EC2 instance Security Group.
请注意,我花了太多时间弄清楚为什么无法生成证书,而唯一的问题是我没有在EC2实例安全组中打开端口443。
第2步 (Step 2)
Setup your domain’s CNAME Record to point to the public DNS of your EC2 instance.
设置您域的CNAME记录,使其指向EC2实例的公共DNS 。
第三步 (Step 3)
Install Certbot on your instance. Based on your operating system and server, you can find out how to install it on Certbot’s homepage. For NGINX on Ubuntu 14.04, use this.
在您的实例上安装Certbot。 根据您的操作系统和服务器,您可以在Certbot的主页上找到如何安装它。 对于Ubuntu 14.04上的NGINX,请使用它 。
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
Run this command in your home directory:
在您的主目录中运行以下命令:
/home/ubtuntu
第4步 (Step 4)
Stop any existing servers running on the port 80 and 443, since those are used by Certbot to verify your domain and generate certificates.
停止在端口80和443上运行的所有现有服务器,因为Certbot使用这些服务器来验证您的域并生成证书。
You can restart those servers once you have finished generating the certificates.
生成证书后,可以重新启动这些服务器。
步骤5 (Step #5)
Run the following command to generate certificates for your domain:
运行以下命令为您的域生成证书:
./certbot-auto certonly --standalone -d xyz.yourdomain.com
You can generate certificates for multiple domains using this approach.
您可以使用此方法为多个域生成证书。
步骤#6 (Step #6)
Change your NGINX configuration in /etc/nginx/nginx.conf to enable SSL:
在/etc/nginx/nginx.conf中更改NGINX配置以启用SSL :
http {
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
server {
listen 80;
server_name xyz.yourdomain.com;
location / {
# Redirect any http requests to https
return 301 https://$server_name$request_uri;
}
}
server {
listen 443 ssl;
server_name xyz.yourdomain.com;
ssl_certificate /etc/letsencrypt/live/xyz.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xyz.yourdomain.com/privkey.pem;
add_header Strict-Transport-Security “max-age=31536000”;
location / {
proxy_pass http://127.0.0.1:3000;
}
}
}
The Strict-Transport-Security (HSTS) header ensures that any internal links that are not HTTPS will automatically be routed to the HTTPS version during a HTTPS session.
Strict-Transport-Security (HSTS)标头可确保在HTTPS会话期间,将将所有非HTTPS的内部链接自动路由到HTTPS版本。
步骤#7 (Step #7)
Lastly, reload your NGINX configuration:
最后,重新加载您的NGINX配置:
sudo service nginx reload
Congratulations! Your site xyz.example.com is now successfully running on HTTPS.
恭喜你! 您的网站xyz.example.com现在已成功在HTTPS上运行。
NOTE: Let’s Encrypt certificates are only valid for 3 months after issue. So every 3 months, renewal is required. Here’s how you can automate this using a cron job.
注意 :让我们加密证书仅在颁发后3个月内有效。 因此,每3个月需要更新一次。 这是使用cron job自动执行此操作的方法 。
If this post helped you, hit the heart button below. ? And if it didn’t, please leave a comment to tell me how I can make it better.
如果这篇文章对您有帮助,请点击下面的“心脏”按钮。 ? 如果没有,请发表评论告诉我如何使它变得更好。
PS: Thanks to Narendra N Shetty for proofreading and giving suggestions.
PS:感谢Narendra N Shetty的校对和提出建议。
Karan Thakkar is the Frontend Lead at Crowdfire — Your super-smart marketing sidekick. His article has been previously featured on The Huffington Post. He likes trying out new technologies in his spare time and has built Tweetify (using React Native) and Show My PR’s (using Golang).
Karan Thakkar是Crowdfire的前端主管- 您的超级智能营销伙伴 。 他的文章以前曾在《赫芬顿邮报 》上发表过 。 他喜欢在业余时间尝试新技术,并建立了Tweetify (使用React Native)和Show My PR (使用Golang)。
Other articles written by him:
他写的其他文章:
How I grew from 300 to 5k followers in just 3 weeks#GrowthHacking my Twitter account for @Crowdfire Twitter Premier Leagueblog.markgrowth.comAn Illustrated Guide for Setting Up Your Website Using Github & CloudflareEasy to Setup, Instant Deploy, Free HTTPS, HTTP2/SPDY Suport, Custom Redirect, Browser Cache Expiration, HTTP Secure…medium.freecodecamp.org
我如何在短短3周内从300名追踪者成长为5 千名#GrowthHacking我的@Crowdfire Twitter帐户Twitter超级联赛 blog.markgrowth.com 使用Github和Cloudflare 建立 网站的图解指南 易于设置,即时部署,免费HTTPS, HTTP2 / SPDY支持,自定义重定向,浏览器缓存到期,HTTP安全… medium.freecodecamp.org