Nginx 配置 https （Let's Encrypt）

初衷

由于IOS在极力封杀http请求，所以抽空先把刚刚部署好的Web服务加上https支持。

使用90天免费并且可无限续签的 Let's Encrypt

Let's Encrypt是一个良心的CA，因为普通商业CA的价格对个人来说还是难以接受的。但它提供了90天的免费证书。

获取证书的方式也很简单，因为它提供了完全自动化的解决方案：

## 放置路径
mkdir /var/www/letsencrypt
sudo apt-get install certbot
sudo certbot certonly --webroot --agree-tos --no-eff-email --email yourname@163.com -w /var/www/letsencrypt -d app.airoubo.com
复制代码

申请ok了。

配置Nginx

创建challenge目录：

sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
复制代码

创建letsencrypt.conf文件并添加：/etc/nginx/snippets/letsencrypt.conf

location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
}
复制代码

创建ssl.conf文件并添加：/etc/nginx/snippets/ssl.conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
复制代码

修改主配置文件：

# the upstream component nginx needs to connect to
upstream django {
    server unix:///data/django/rouboApi/rouboapi.scok; # for a file socket
    #server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}

# configuration of the server
server {
    # the port your site will be served on
    listen      80;
    # the domain name it will serve for
    server_name app.airoubo.com; # substitute your machine's IP address or FQDN
    include /etc/nginx/snippets/letsencrypt.conf;
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    #location /media  {
    #    alias /path/to/your/mysite/media;  # your Django project's media files - amend as required
    #}

    location /static {
        alias /data/django/rouboApi/static; # your Django project's static files - amend as required
    }

    # Finally, send all non-media requests to the Django server.
    location /roubo {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
    }
}

## https

server {
    # the port your site will be served on
    listen      443 ssl http2;
    listen [::]:443 ssl http2;
    # the domain name it will serve for
    server_name app.airoubo.com; # substitute your machine's IP address or FQDN
    include /etc/nginx/snippets/letsencrypt.conf;
    charset     utf-8;

    ssl_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.airoubo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    #location /media  {
    #    alias /path/to/your/mysite/media;  # your Django project's media files - amend as required
    #}

    location /static {
        alias /data/django/rouboApi/static; # your Django project's static files - amend as required
    }

    # Finally, send all non-media requests to the Django server.
    location /roubo {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
    }
}
复制代码

重启nginx后，就可以使用https访问服务了。

自动续签

虽然有90天的期限，但是支持无限续签。所以我们只要定时续签就可以了。

使用上面的certbot工具，可以看下man certbot，它下面有一个renew参数用于更新证书。因为证书更新之后，我们需要重启nginx服务，刚好，它还有一个--renew-hook的参数，支持renew成功之后hook执行我指定的脚本。

我们在/etc/letsencrypt/renewhook.sh脚本中加入重启nginx的动作:

#!/bin/bash
service nginx restart
复制代码

在root下增加crontab：

sudo crontab -e
复制代码

设置每月的1号的8点钟执行更新：

00 8 1 * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
复制代码

哔哔哔

关于CA证书分发、管理的等等的原理，有时间还要去了解下，虽然平时用的不多。Documentation - Let’s Encrypt - Free SSL/TLS Certificates