让我们在Ubuntu 18.04上加密SSL证书来保护Nginx

什么是SSL证书？ (What is SSL Certificate?)

Over time, cases of internet related security breaches have been on the rise as hackers continue working round the clock to steal user data for malicious purposes. An SSL certificate is a digital certificate that is installed on website servers primarily for encrypting data sent between the user browser and the server so that only the intended recipient accesses it. This is crucial because, without encryption, information is sent as plain text data and can easily be intercepted by hackers.

随着时间的流逝，随着黑客继续昼夜不停地窃取用户数据以达到恶意目的，与互联网相关的安全违规事件越来越多。 SSL证书是一种数字证书，安装在网站服务器上，主要用于加密在用户浏览器和服务器之间发送的数据，以便只有目标收件人才能访问它。 这是至关重要的，因为如果不进行加密，则信息将以纯文本数据的形式发送，并且很容易被黑客拦截。

For this reason, most e-commerce stores and online money payment platforms such as PayPal encrypt their websites. SSL certificate also allows for authentication and ensures that information is sent to the right server and not a hacker.

因此，大多数电子商务商店和在线付款平台（如PayPal）都会对其网站进行加密。 SSL证书还允许进行身份验证，并确保将信息发送到正确的服务器，而不是黑客。

Google喜欢安全网站 (Google Likes Secure Sites)

SSL certificate helps to rank your site higher in Google. According to Google’s announcement, SSL encrypted sites will rank higher than those without and which are considered unsafe. A secured site is symbolized by a padlock on the URL bar and the URL preceded by https instead of HTTP. If your sites lack secure HTTPS extension, Google indicates the site URL as “Not Secure” and this can negatively impact
your site rankings.

SSL证书有助于使您的网站在Google中排名更高。 根据Google的公告 ，SSL加密网站的排名将高于没有SSL加密网站和被认为不安全的网站。 受保护的网站由URL栏上的挂锁和URL加上https而不是HTTP来表示。 如果您的网站缺乏安全的HTTPS扩展名，则Google会将该网站网址指示为“不安全”，这可能会对您造成负面影响
您的网站排名。

让我们在Ubunutu上加密SSL认证的Nginx (Nginx with Let’s Encrypt SSL Certification on Ubunutu)

In this article, we will look at how to secure Nginx with Let’s encrypt SSL on Ubuntu 18.04. Let’s Encrypt is a free and automated SSL provided by Let’s encrypt authority. By 2018, Let’s Encrypt had secured over 150 million websites.

在本文中，我们将研究如何在Ubuntu 18.04上使用“让我们加密SSL”来保护Nginx。 Let's Encrypt是由Let's加密机构提供的免费且自动的SSL。 到2018年，Let's Encrypt已保护了1.5亿个网站。

Let’s gets started and see how we can secure Nginx with Let’s encrypt SSL on Ubuntu 18.04.

让我们开始吧，看看如何在Ubuntu 18.04上通过加密SSL来保护Nginx。

先决条件 (Prerequisites)

To get started, ensure you have the following:

首先，请确保您具有以下条件：

• Server instance of Ubuntu server 18.04 with ssh access
  具有SSH访问权限的Ubuntu服务器18.04的服务器实例
• A non-root use with sudo privileges
  具有sudo特权的非root用户使用
• A fully Qualified Domain Name (FQDN) with an A record pointed to the server’s IP address
  具有A记录的完全限定域名（FQDN）指向服务器的IP地址

• In this example , we are going to use the domain name crazytechgeek.info which is pointed to a VPS with IP address 18.191.46.130.

  在本例中，我们将使用域名crazytechgeek.info指向IP地址为18.191.46.130的VPS。

步骤1.安装Nginx (Step 1. Installing Nginx)

The first thing will be to install Nginx web server. But first, update your system by logging in as a non-root user and executing the following command.

首先是要安装Nginx Web服务器。 但是首先，通过以非root用户身份登录并执行以下命令来更新系统。

$ sudo apt update

Next, install Nginx with the following command.

接下来，使用以下命令安装Nginx。

$ sudo apt install nginx

Output:

输出 ：

Once installed, verify that Nginx is running by executing the following command.

安装完成后，通过执行以下命令来验证Nginx是否正在运行。

$ sudo systemctl status nginx

Output:

输出 ：

Great! Now that we have installed our web server, let’s proceed to the next step.

大！ 现在，我们已经安装了Web服务器，让我们继续下一步。

步骤2.安装Certbot (Step 2. Install Certbot)

Let us now install Certbot on our server. In this example, we will use the Ubuntu software repository that contains all the updated files. To add the Certbot repository run the following command.

现在让我们在服务器上安装Certbot 。 在此示例中，我们将使用包含所有更新文件的Ubuntu软件存储库。 要添加Certbot存储库，请运行以下命令。

$ sudo add-apt-repository ppa:certbot/certbot

Output:

输出 ：

Installing Certbot

安装Certbot

To make the system repositories aware of the changes made, please update the system.

要使系统存储库知道所做的更改，请更新系统。

$ sudo apt update

步骤3.安装Certbot Nginx软件包 (Step 3. install Certbot Nginx package)

We are then going to install the Certbot Nginx package. To achieve this run the command below:

然后，我们将安装Certbot Nginx软件包。 为此，请运行以下命令：

$ sudo apt-get install python-certbot-nginx

Output

输出量

步骤4.更新防火墙以允许HTTPS流量 (Step 4. Updating Firewall to allow HTTPS traffic)

we need to allow HTTPS traffic through the firewall for SSL to work using port 443. Let’s first check the status of the firewall.

我们需要允许HTTPS通信通过防火墙以使SSL使用端口443正常工作。让我们首先检查防火墙的状态。

$ sudo ufw status

Output

输出量

Before we enable the firewall, let’s first allow “Nginx Full” which will take care of both HTTP and HTTPS.

在启用防火墙之前，首先让我们启用“ Nginx Full”，它将同时处理HTTP和HTTPS。

$ sudo ufw allow 'Nginx Full'

Output

输出量

Let us now enable the ufw firewall. Hit ‘y’ when prompted.

现在让我们启用ufw防火墙。 出现提示时，按“ y”。

$ sudo ufw enable

Output

输出量

Let’s verify if the rules were added to the firewall.

让我们验证规则是否已添加到防火墙。

$ sudo ufw status

Output

输出量

Ufw Status Active

Ufw状态有效

步骤5.生成SSL证书 (Step 5. Generating SSL certificate)

The last part is the generation of the Let’s Encrypt SSL certificate. To achieve this, use the syntax below.

最后一部分是“加密我们的SSL”证书的生成。 为此，请使用以下语法。

$ sudo certbot --nginx -d example.com -d www.example.com

$ sudo certbot --nginx -d example.com -d www.example.com

This will generate the SSL certificate that will be valid for example.com as well as www.example.com.

这将生成对example.com和www.example.com有效的SSL证书。

In our case, we shall have;

就我们而言，我们将拥有；

$ sudo certbot --nginx -d crazytechgeek.info -d www.crazytechgeek.info

Output

输出量

If you are running Certbot for the first time, you will first be prompted to enter an Email address.

如果是第一次运行Certbot，将首先提示您输入一个电子邮件地址。

Communication will then be initiated with Let’s Encrypt server and try to verify that you control the domain you are asking for a certificate.

然后，将与Let's Encrypt服务器启动通信，并尝试验证您是否控制了要申请证书的域。

Next. Press A to agree to the terms of service.

下一个。 按A同意服务条款。

Next, you will be asked whether you would like your email address to be shared with EFF. Here, you can either decide to opt in or out.

接下来，将询问您是否要与EFF共享您的电子邮件地址。 在这里，您可以决定选择加入还是退出。

The Next step is where everything matters. This is the point where you will be required to redirect HTTP to HTTPS requests. Select the second option.

下一步就是一切。 这就是要求您将HTTP重定向到HTTPS请求的地方。 选择第二个选项。

If all went well, you will get a message verifying that all went well.

如果一切顺利，您将收到一条消息，确认一切正常。

Wonderful! you have successfully installed Let’s encrypt SSL on your Nginx web server.

精彩！ 您已经成功安装了我们在Nginx Web服务器上加密SSL。

To verify this, Go to your server’s address in the browser and refresh.

要验证这一点，请在浏览器中转到服务器的地址并刷新。

Take note that the URL has changed from HTTP to HTTPS at the beginning. To view more information about the SSL certificate, click on the padlock symbol and select ‘Certificate’ option.

请注意，URL开头已从HTTP更改为HTTPS。 要查看有关SSL证书的更多信息，请单击挂锁符号，然后选择“证书”选项。

Output

输出量

续订我们加密SSL证书 (Renew Let’s Encrypt SSL Certificate)

Let’s encrypt certificate validity is 90 days. This means renewal is after 3 months. The renewal for automation is automatically done by Let’s encrypt. To test the renewal process, do a dry run with Certbot as shown.

我们来加密证书的有效期是90天。 这意味着续约是在3个月后。 自动化续订是通过让我们加密自动完成的。 要测试续订过程，请如图所示使用Certbot进行空运行。

sudo certbot renew --dry-run

If there are no errors then, everything went according to the plan and as needed the auto-renewal of will take place. All messages about CA expiration will be sent to the Email address specified during configuration.

如果没有错误，那么一切都会按计划进行，并且将根据需要进行自动更新。 有关CA到期的所有消息将发送到配置期间指定的电子邮件地址。

翻译自: https://www.journaldev.com/24781/nginx-lets-encrypt-ssl-ubuntu-18-04