Nginix开启SSL支持HTTPS访问(使用Let's Encrypt免费证书)(2)
yum install python-argparse
# CentOS 7
yum install -y git python27
yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
yum install python-argparse
4、安装开始,需要停掉nginx,因为需要用到80端口连接验证
#service nginx stop
#/opt/certbot-master/letsencrypt-auto --help
或者用指定域名和邮箱进行安装,省得设置
#/opt/certbot-master/letsencrypt-auto certonly --standalone -email 邮箱地址(邮箱地址是用来接收紧急通知和找回密钥的) -d 域名
执行上述命令后,会弹出对话框,同意用户协议,然后按文字提示操作下去就行了,支持多域名,只需要在用空格或者英文逗号分隔就好了。如果使用国内 VPS,此处可能会由于 DNS 问题出错,可以尝试更换 VPS 的 DNS 为第三方,比如 8.8.8.8。
运行完成之后,你会看到下面这个提示
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/bnxb.com/fullchain.pem. Your cert will
expire on 2017-08-16. To obtain a new version of the certificate in
the future, simply run Let's Encrypt again.
- Your account credentials have been saved in your Let's Encrypt
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Let's
Encrypt so making regular backups of this folder is ideal.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
命令完成后,最新版本的证书位置:/etc/letsencrypt/live/域名/
每个域名一个目录,有以下文件:
cert.pem 申请的服务器证书文件
privkey.pem 服务器证书对应的私钥
chain.pem 除服务器证书外,浏览器解析所需的其他全部证书,比如根证书和中间证书
fullchain.pem 包含服务器证书的全部证书链文件
nginx 中用到的是fullchain.pem 和 privkey.pem 其他为apache使用的证书。
5、启用更安全的加密方式
默认是 SHA-1 形式,而现在主流的方案应该都避免 SHA-1,为了确保更强的安全性,我们可以采取迪菲-赫尔曼密钥交换
#yum install openssl
#yum install openssl-devel
#openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
完整配置
server {
#nginx 监听端口,443为默认https端口,ssl指使用https
listen 80 default backlog=2048;
listen 443 ssl;
# 服务器名称
server_name bnxb.com;
# https证书公钥
ssl_certificate /etc/letsencrypt/live/bnxb.com/fullchain.pem;
# https证书私钥 要注意保存!
ssl_certificate_key /etc/letsencrypt/live/域名/privkey.pem;
# 支持的加密协议
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
#nginx默认会使用Diffiel-Hellman交换密钥是1024位的,相对不安全,所以需要替换使用更安全的
ssl_dhparam /etc/ssl/certs/dhparam.pem;
# 支持的加密套件
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
# 定义session过期时间
ssl_session_timeout 1d;
顶(2)
踩(0)
- 最新评论