手动配置泛域名https (资源)

使用 certbot 在CentOS7下配置nginx支持泛域名https, 例如我们申请zqyu.com这个域名的泛域名证书

1、手动配置泛域名https

一、 安装certbot

$ sudo yum install python2-certbot-nginx

二、 生成证书

$ certbot certonly --manual  -d zqyu.com -d *.zqyu.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

安装过程中出现错误

ImportError: No module named ‘requests.packages.urllib3’

更新软件即可

$ pip uninstall requests
$ pip uninstall urllib3
$ yum remove python-urllib3
$ yum remove python-requests
$ yum install python-urllib3
$ yum install python-requests
$ yum install certbot

重新执行生成证书的命令,按照提示填写相对应的信息,在域名的解析中添加解析TXT记录

Please deploy a DNS TXT record under the name
_acme-challenge.[你的域名] with the following value:

LAgFSE1_ML8l2T35GuyW1Iq-HZ8dncQUkxd131fZq3w[这一串是安装过程中生成的token]

Before continuing, verify the record is deployed.

安装成功后提示如下

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/[你的域名]/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/[你的域名]/privkey.pem
   Your cert will expire on 2019-01-25. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

三、 在nginx中配置证书

server {
    listen 80;
    server_name [你的域名];
    return 301 https://$server_name$request_uri;
}
server {
    listen       443 ssl;
    server_name [你的域名];
    ssl_certificate /etc/letsencrypt/live/[你的域名]/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/[你的域名]/privkey.pem;
    root [你的网站根目录];
    
    location / {
        access_log off;
    }
}

重新加载nginx规则nginx -s reload即可

四、 自动更新证书

Let’s Encrypt 证书的有效期是90天,到期后需要重新安装

五、卸载

$ yum remove certbot python2-certbot-nginx
$ yum autoremove

2、nginx访问服务http升级为https请求

一、安装SSL证书的环境
1.1 SSl 证书安装环境简介

Centos 6.4 操作系统;

Nginx 1.9.1;

Openssl 1.0.1+;

SSL 证书一张(备注:本指南使用 yonyou.com 域名 OV SSL 证书进行操作,通用其它版本证书)。

1.2 网络环境要求

请确保站点是一个合法的外网可以访问的域名地址,可以正常通过或 http://XXX 进行正常访问。

二、SSL证书的安装
2.1 获取SSl证书

成功申请证书后,会得到一个有密码的压缩包文件,输入证书密码后解压得到五个文件:for Apache、for IIS、for Nginx、for Other Server,这个是证书的几种格式,Nginx 上需要用到 for Nginx 格式的证书。
在这里插入图片描述
注:可以自己选择阿里云或者腾讯云申请证书
2. 2 解压证书文件

打开 for Nginx 文件可以看到 2 个文件。包括公钥、私钥,如图 2
在这里插入图片描述
2.3 安装SSL证书

#找到nginx的配置文件nginx.conf,将要监听的端口服务增加配置
  ssl on;
  ssl_certificate /usr/local/nginx/conf/ca/_.yonyou.com_bundle.crt;(证书公钥)
  ssl_certificate_key /usr/local/nginx/conf/ca/yonyou.com.key; (证书私钥)
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
  ssl_prefer_server_ciphers on;

#完整监听443端口的配置,重要的是中间的几条,开启SSL验证以及公私密钥地址
server {
  listen 443;
  server_name localhost;
  ssl on;
  ssl_certificate /usr/local/nginx/conf/ca/_.yonyou.com_bundle.crt;(证书公钥)
  ssl_certificate_key /usr/local/nginx/conf/ca/yonyou.com.key; (证书私钥)
  ssl_session_timeout 5m;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
  ssl_prefer_server_ciphers on;
  location / {
  root html;
  index index.html index.htm;
  }
}

保存并且退出后重启nginx。

nginx -s stop    #停止nginx
nginx -c /etc/nginx/nginx.conf   #指定nginx配置文件启动

3、Ubuntu 生成https证书 for let’s encrypt

添加安装源
sudo add-apt-repository ppa:certbot/certbot

更新apt安装源
sudo apt-get update

安装
sudo apt-get install python-certbot-apache

安装letsencrypt并生成证书
安装 letsencrypt
sudo apt-get install letsencrypt

生成证书
letsencrypt certonly --agree-tos --email xxx@qq.com -d xxx.xxx.com(域名需要解析到服务器要能 ping 通)

安装过程可能出现的提示信息
你是希望如何使用ACME CA进行身份验证?
How would you like to authenticate with the ACME CA?
在这里插入图片描述
我这是 nginx 选的 2 如果没有选择第三个

成功提示
在这里插入图片描述
如果提示
在这里插入图片描述
原因是 nginx 或者是 apache 占用 80 端口,先关闭掉,然后重新执行

会在 /etc/letsencrypt/live/ 目录下成一个上面 <生成证书> 步骤中填写的域名文件夹里面包含证书信息
在这里插入图片描述

nginx 配置 https 访问

ssl 配置

    server {
        listen 443 ssl;
        server_name xxx.xxx.com;    # 域名
        ssl_certificate /etc/letsencrypt/live/unicallcenter.botongweb.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/unicallcenter.botongweb.com/privkey.pem;
        ssl_trusted_certificate /etc/letsencrypt/live/unicallcenter.botongweb.com/chain.pem;
        ssl_protocols   TLSv1 TLSv1.1 TLSv1.2;

        location / {
            root '/root/data/www';       # 静态页面存放路径
            index index.html;
            try_files $uri $uri/ /index.html;
        }
        error_page  405 =200 $uri;
    }
upstream gateway {
    server xx.xx.xx.xx:9099;  # 服务的地址
}

server {
    listen 443 ssl;
    server_name xx.xx.xx.com;    # 域名
 
    ssl_certificate /etc/letsencrypt/live/api.uincall.botongweb.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/api.uincall.botongweb.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/api.uincall.botongweb.com/chain.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-Proto $scheme;
 
    location / {
        proxy_pass http://gateway;  # 上面代理的服务地址
    }
}
 
server {
    listen 80;
    server_name xx.xx.xx.com;    # 域名
    return 301 https://$host$request_uri;
}

定时续约证书

crontab -e

每天夜里凌晨 2 点续签

2 * * * service nginx stop & letsencrypt renew & service nginx start

扩展

服务器配置小功能

当nginx同时配置了http和https,需要优先访问https时,在80端口配置处加:

server {  
    listen  192.168.1.111:80;  
    server_name test.com;  
      
    rewrite ^(.*)$  https://$host$1 permanent;  
} 

nginx反向代理http和https,端口映射tcp

准备
windows环境
去nginx官网下载nginx
http://nginx.org/en/download.html
然后打开conf目录下的nginx.conf

反向代理http
nginx.conf配置

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

 server{
  listen       80; # 监听端口
  server_name  test1_http.com;#域名
  location / {
       proxy_pass http://test2_http.com; # 需要代理的域名
       proxy_set_header    X-Real-IP        $remote_addr; # 请求头中设置 用户真实ip
       proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header    HTTP_X_FORWARDED_FOR $remote_addr;
     
   }
 }
}

反向代理https
nginx.conf配置


worker_processes  1;

events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;

 server {
     listen              443 ssl; #监听 默认端口
     server_name         test1_https.com;
     #https证书配置
     ssl_certificate     SSL.crt;  # 建议相对路径
     ssl_certificate_key SSL.KEY;#建议相对路径 
     ssl_session_timeout  5m;
     ssl_session_cache    shared:SSL:1m;
     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

   location / {
       #针对源点使用https,需要下面一段
       proxy_ssl_server_name on;

       proxy_pass https://test2_https.com; # 需要代理的域名
       proxy_set_header    X-Real-IP        $remote_addr;# 请求头中设置 用户真实ip
       proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header    HTTP_X_FORWARDED_FOR $remote_addr;
  }
 }
}

端口映射tcp
配置stream需要和http同级

worker_processes  1;

events {
    worker_connections  1024;
}


#映射
stream {
    #将4422端口转发到test1_https.com的4433端口
    upstream server_upstreams_port4433 {
        server test1_https.com:4433;
    }
    server {
        listen 4422; 监听端口
        proxy_pass server_upstreams_port4433; 转发
    }
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    sendfile        on;

 server {
     listen              443 ssl; #监听 默认端口
     server_name         test1_https.com;
     #https证书配置
     ssl_certificate     SSL.crt;  # 建议相对路径
     ssl_certificate_key SSL.KEY;#建议相对路径 
     ssl_session_timeout  5m;
     ssl_session_cache    shared:SSL:1m;
     ssl_ciphers  HIGH:!aNULL:!MD5;
     ssl_prefer_server_ciphers  on;

   location / {
       #针对源点使用https,需要下面一段
       proxy_ssl_server_name on;

       proxy_pass https://test2_https.com; # 需要代理的域名
       proxy_set_header    X-Real-IP        $remote_addr;# 请求头中设置 用户真实ip
       proxy_set_header    X-Forwarded-For  $proxy_add_x_forwarded_for;
       proxy_set_header    HTTP_X_FORWARDED_FOR $remote_addr;
  }
 }
}

https://www.jianshu.com/p/c41044fa3138














参考链接 :

手动配置泛域名https
https://www.jianshu.com/p/8dde743d5c0f

nginx访问服务http升级为https请求 :https://www.jianshu.com/p/3e90c90d0763

Ubuntu 生成https证书 for let’s encrypt : https://www.jianshu.com/p/9b97c7b1d803

nginx反向代理http和https,端口映射tcp :https://www.jianshu.com/p/c41044fa3138

参与评论 您还未登录,请先 登录 后发表或查看评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
©️2022 CSDN 皮肤主题:大白 设计师:CSDN官方博客 返回首页
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、C币套餐、付费专栏及课程。

余额充值