使用 certbot 在CentOS7下配置nginx支持泛域名https, 例如我们申请zqyu.com这个域名的泛域名证书
1、手动配置泛域名https
一、 安装certbot
$ sudo yum install python2-certbot-nginx
二、 生成证书
$ certbot certonly --manual -d zqyu.com -d *.zqyu.com --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory
安装过程中出现错误
ImportError: No module named ‘requests.packages.urllib3’
更新软件即可
$ pip uninstall requests
$ pip uninstall urllib3
$ yum remove python-urllib3
$ yum remove python-requests
$ yum install python-urllib3
$ yum install python-requests
$ yum install certbot
重新执行生成证书的命令,按照提示填写相对应的信息,在域名的解析中添加解析TXT记录
Please deploy a DNS TXT record under the name
_acme-challenge.[你的域名] with the following value:
LAgFSE1_ML8l2T35GuyW1Iq-HZ8dncQUkxd131fZq3w[这一串是安装过程中生成的token]
Before continuing, verify the record is deployed.
安装成功后提示如下
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[你的域名]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[你的域名]/privkey.pem
Your cert will expire on 2019-01-25. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
三、 在nginx中配置证书
server {
listen 80;
server_name [你的域名];
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl;
server_name [你的域名];
ssl_certificate /etc/letsencrypt/live/[你的域名]/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/[你的域名]/privkey.pem;
root [你的网站根目录];
location / {
access_log off;
}
}
重新加载nginx规则nginx -s reload即可
四、 自动更新证书
Let’s Encrypt 证书的有效期是90天,到期后需要重新安装
五、卸载
$ yum remove certbot python2-certbot-nginx
$ yum autoremove
2、nginx访问服务http升级为https请求
一、安装SSL证书的环境
1.1 SSl 证书安装环境简介
Centos 6.4 操作系统;
Nginx 1.9.1;
Openssl 1.0.1+;
SSL 证书一张(备注:本指南使用 yonyou.com 域名 OV SSL 证书进行操作,通用其它版本证书)。
1.2 网络环境要求
请确保站点是一个合法的外网可以访问的域名地址,可以正常通过或 http://XXX 进行正常访问。
二、SSL证书的安装
2.1 获取SSl证书
成功申请证书后,会得到一个有密码的压缩包文件,输入证书密码后解压得到五个文件:for Apache、for IIS、for Nginx、for Other Server,这个是证书的几种格式,Nginx 上需要用到 for Nginx 格式的证书。
注:可以自己选择阿里云或者腾讯云申请证书
2. 2 解压证书文件
打开 for Nginx 文件可以看到 2 个文件。包括公钥、私钥,如图 2
2.3 安装SSL证书
#找到nginx的配置文件nginx.conf,将要监听的端口服务增加配置
ssl on;
ssl_certificate /usr/local/nginx/conf/ca/_.yonyou.com_bundle.crt;(证书公钥)
ssl_certificate_key /usr/local/nginx/conf/ca/yonyou.com.key; (证书私钥)
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
#完整监听443端口的配置,重要的是中间的几条,开启SSL验证以及公私密钥地址
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /usr/local/nginx/conf/ca/_.yonyou.com_bundle.crt;(证书公钥)
ssl_certificate_key /usr/local/nginx/conf/ca/yonyou.com.key; (证书私钥)
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
保存并且退出后重启nginx。
nginx -s stop #停止nginx
nginx -c /etc/nginx/nginx.conf #指定nginx配置文件启动
3、Ubuntu 生成https证书 for let’s encrypt
添加安装源
sudo add-apt-repository ppa:certbot/certbot
更新apt安装源
sudo apt-get update
安装
sudo apt-get install python-certbot-apache
安装letsencrypt并生成证书
安装 letsencrypt
sudo apt-get install letsencrypt
生成证书
letsencrypt certonly --agree-tos --email xxx@qq.com -d xxx.xxx.com(域名需要解析到服务器要能 ping 通)
安装过程可能出现的提示信息
你是希望如何使用ACME CA进行身份验证?
How would you like to authenticate with the ACME CA?
我这是 nginx 选的 2 如果没有选择第三个
成功提示
如果提示
原因是 nginx 或者是 apache 占用 80 端口,先关闭掉,然后重新执行
会在 /etc/letsencrypt/live/ 目录下成一个上面 <生成证书> 步骤中填写的域名文件夹里面包含证书信息
nginx 配置 https 访问
ssl 配置
server {
listen 443 ssl;
server_name xxx.xxx.com; # 域名
ssl_certificate /etc/letsencrypt/live/unicallcenter.botongweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/unicallcenter.botongweb.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/unicallcenter.botongweb.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
location / {
root '/root/data/www'; # 静态页面存放路径
index index.html;
try_files $uri $uri/ /index.html;
}
error_page 405 =200 $uri;
}
upstream gateway {
server xx.xx.xx.xx:9099; # 服务的地址
}
server {
listen 443 ssl;
server_name xx.xx.xx.com; # 域名
ssl_certificate /etc/letsencrypt/live/api.uincall.botongweb.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.uincall.botongweb.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/api.uincall.botongweb.com/chain.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://gateway; # 上面代理的服务地址
}
}
server {
listen 80;
server_name xx.xx.xx.com; # 域名
return 301 https://$host$request_uri;
}
定时续约证书
crontab -e
每天夜里凌晨 2 点续签
2 * * * service nginx stop & letsencrypt renew & service nginx start
扩展
服务器配置小功能
当nginx同时配置了http和https,需要优先访问https时,在80端口配置处加:
server {
listen 192.168.1.111:80;
server_name test.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
nginx反向代理http和https,端口映射tcp
准备
windows环境
去nginx官网下载nginx
http://nginx.org/en/download.html
然后打开conf目录下的nginx.conf
反向代理http
nginx.conf配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
server{
listen 80; # 监听端口
server_name test1_http.com;#域名
location / {
proxy_pass http://test2_http.com; # 需要代理的域名
proxy_set_header X-Real-IP $remote_addr; # 请求头中设置 用户真实ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
}
}
}
反向代理https
nginx.conf配置
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server {
listen 443 ssl; #监听 默认端口
server_name test1_https.com;
#https证书配置
ssl_certificate SSL.crt; # 建议相对路径
ssl_certificate_key SSL.KEY;#建议相对路径
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
#针对源点使用https,需要下面一段
proxy_ssl_server_name on;
proxy_pass https://test2_https.com; # 需要代理的域名
proxy_set_header X-Real-IP $remote_addr;# 请求头中设置 用户真实ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
}
}
}
端口映射tcp
配置stream需要和http同级
worker_processes 1;
events {
worker_connections 1024;
}
#映射
stream {
#将4422端口转发到test1_https.com的4433端口
upstream server_upstreams_port4433 {
server test1_https.com:4433;
}
server {
listen 4422; 监听端口
proxy_pass server_upstreams_port4433; 转发
}
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
server {
listen 443 ssl; #监听 默认端口
server_name test1_https.com;
#https证书配置
ssl_certificate SSL.crt; # 建议相对路径
ssl_certificate_key SSL.KEY;#建议相对路径
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:1m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
#针对源点使用https,需要下面一段
proxy_ssl_server_name on;
proxy_pass https://test2_https.com; # 需要代理的域名
proxy_set_header X-Real-IP $remote_addr;# 请求头中设置 用户真实ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
}
}
}
https://www.jianshu.com/p/c41044fa3138
参考链接 :
手动配置泛域名https
https://www.jianshu.com/p/8dde743d5c0f
nginx访问服务http升级为https请求 :https://www.jianshu.com/p/3e90c90d0763
Ubuntu 生成https证书 for let’s encrypt : https://www.jianshu.com/p/9b97c7b1d803
nginx反向代理http和https,端口映射tcp :https://www.jianshu.com/p/c41044fa3138
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
