|
|
开发需要做一个小后台,但是需要https访问,Let's Encrypt也蛮好用的。
系统环境:
Centos7.3 nginx1.10.2
安装:
yum install -y epel-release
yum install -y certbot
做好相应域名比如abc.com的解析;
方法1:在网站根目录下创建一个.well-known的目录
方法2:
mkdir -p /usr/local/nginx/cert/.well-known
ln -s /usr/local/nginx/cert/.well-known /data/gop/gop.abc.com/.well-known
命令执行类似
certbot certonly --webroot -w /usr/local/nginx/cert -d example.com
如:certbot certonly --webroot -w /etc/nginx/cert -d gop.abc.com
根据提示进行操作,一般可以正常生产证书文件。
可以默认的nginx目录直接操作,当时在/data/gop/创建了个文件夹,准备放这个文件夹下面。
2.
certbot certonly --webroot -w /data/gop/ -d gop.abc.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gop.abc.com
Using the webroot path /data/gop for all unmatched domains.
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/ gop.abc.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/gop.abc.com/privkey.pem
Your cert will expire on 2018-05-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
证书文件的目录存放在: '/etc/letsencrypt/live/example.com/'会有4个文件:cert.pemchain.pemfullchain.pemprivkey.pem特别要注意,这条命令只会将生成的证书放在这个目录,不会有一个/etc/letsencrypt/live/ gop.abc.com /目录,gop.abc.com的证书,具体看后面的nginx配置。3.nginx配置类似这样的:
server { listen 443 ssl http2; server_name example.com; index index.html index.htm index.php; root /data/www/example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; access_log off;}server { listen 443 ssl http2; server_name test.example.com; index index.html index.htm index.php; root /data/www/test.example.com; ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; access_log off;} 具体配置:nginx和tomcat配合反向代理tomcat
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
client_max_body_size 8M;
# Load modular configuration files from the /etc/nginx/conf.d directory.
# See http://nginx.org/en/docs/ngx_core_module.html#include
# for more information.
include /etc/nginx/conf.d/*.conf;
upstream app {
server localhost:9089;
}
server {
listen 80;
server_name gop.abc.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
server {
listen 443 ssl;
ssl on;
server_name gop.abc.com;
ssl_certificate /etc/letsencrypt/live/ gop.abc.com /fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/ gop.abc.com /privkey.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECD************';
ssl_prefer_server_ciphers on;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
#try_files $uri $uri/ =404;
#include proxy_params;
proxy_pass http://app;
#proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
#proxy_redirect http:// https://;
proxy_redirect http:// $scheme://;
# allow 11.11.11.11;
# allow 22.22.22.22;
# deny all;
}
}
}
4.定期更新
crontab -e # 新增如下定时任务10 6 * * * /bin/certbot renew --quiet &>/dev/null Let's Encrypt 的证书有效期为90天,如果证书的有效期大于30天,则上面命令不会真的去更新证书的。https测试
在浏览器输入 https://gop.abc.com 网址进行验证,一般Chrome会有一个绿色的锁以及Secure标示。
原url:
https://www.cnblogs.com/mawang/p/6758728.html以上做一个小小笔记以后参考。 |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-4-19 12:58:11
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡