配置HTTPS(如果服务器已经安装过这些可以直接从第二大不开始)
一、基本环境
1、安装依赖 ##已经安装的可以跳过
yum install openssl
yum install epel-release -y
2、生成2048位 DH parameters:
$ sudo openssl dhparam -out /etc/letsencrypt/live/dhparams.pem 2048
3、安装cerbot工具
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto(赋予执行权限)
二、域名验证
1、nginx配置文件 ##这里最好是吧目录改称这样的底层
location /.well-known/acme-challenge/ {
allow all;
}
2、生成证书,以下命令首次执行需要安装一些依赖包
sudo /usr/sbin/certbot-auto certonly --webroot -w /home/wwwroot/www.qwwq.com/public -d www.qwwq.com,pgkid.com --email 自己的邮箱@163.com ## 这里换上自己的目录,域名和邮箱
第一次执行不建议自动确认参数 --agree-tos
3、如果使用apache,移除apache的干扰
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.org
service httpd restart
4、修改配置nginx文件
加在listen:80下面一行。
if ($ scheme = http)
{
#return 301 https://$ server_name$ request_uri; (强制跳转;复制的时 候注意$后面有空格要去掉)
}
listen 443 ssl http2;
#listen [::]:443 ssl http2;
location ~ /.well-known {
allow all;
}
##配置文件中只要是改这两行
ssl_certificate /etc/letsencrypt/live/hs.123.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hs.123.com/privkey.pem;
##
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 20m;
ssl_dhparam /etc/letsencrypt/live/dhparams.pem; ## 这里最好改成一样的
5、nginx重新加载 nginx -s reload
6、打开防火墙端口 ## 可以不管
firewall-cmd --zone=public --add-port=443/tcp
firewall-cmd --zone=public --add-port=443/tcp --permanent
firewall-cmd --list-all 查看效果
7、浏览器测试
8、证书自动更新
-
- */5 * * /home/ssl/certbot-auto renew --quiet > /dev/null 2>&1 ; /usr/bin/nginx/ -s reload ##按着自己服务器的执行文件写目录
后面附整个的配置文件
server
{
listen 80;
if ($scheme = http){
return 301 https://$server_name$request_uri;
}
listen 443 ssl http2;
server_name 配置的域名;
index index.html index.htm index.php default.html default.htm default.php;
root /home/wwwroot/项目根目录;
##tp必须加的转写
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=$1 last;
break;
}
## SSL生成的两个key
ssl_certificate /etc/letsencrypt/live/zhao/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/zhao/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_dhparam /etc/letsencrypt/live/dhparams.pem;
include rewrite/other.conf;
#error_page 404 /404.html;
# Deny access to PHP files in specific directory
#location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }
include enable-php-pathinfo.conf;
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 12h;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
## 日志生成目录
access_log /home/wwwlogs/zhao.log;
}