ubuntu安装nginx启用HTTPS并端口重定向
Nginx是一款轻量级的Web 服务器/反向代理服务器及电子邮件(IMAP/POP3)代理服务器,并在一个BSD-like 协议下发行。其特点是占有内存少,并发能力强。
ubuntu安装nginx:
sudo apt-get update
sudo apt-get install nginx
Let’s Encrypt 是 一个叫 ISRG ( Internet Security Research Group ,互联网安全研究小组)的组织推出的免费安全证书计划。
Certbot是EFF的自动部署Let’s Encrypt证书的工具,使用简单。
ubuntu安装Certbot:
sudo apt-get install certbot python-certbot-nginx
部署证书:
sudo certbot certonly –webroot -w /var/www/html/ -d your.site.com
中间过程要同意协议以及填写邮箱,部署成功返回:
IMPORTANT NOTES:
Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/your.site.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/your.site.com/privkey.pem
Your cert will expire on 2018-09-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
修改Nginx的虚拟主机配置文件,新建一个443端口的server配置:
配置文件:/etc/nginx/sites-available/default
新增内容:
server {
listen 443 ssl;
listen [::]:443 ssl ipv6only=on;
ssl_certificate /etc/letsencrypt/live/your.site.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/your.site.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/your.site.com/chain.pem;
root /var/www/html;
index index.html index.htm index.nginx-debian.html index.php;
server_name your.site.com;
}
重启nginx:
sudo service nginx reload
此时,访问https://your.site.com已经可以显示安全标记。
nginx 80端口重定向到443端口:
server {
listen 80;
server_name your.site.com;
rewrite ^(.*)$ https://${server_name}$1 permanent;
}
Let’s Encrypt 生成的免费证书为3个月时间,到期要更新证书:
sudo certbot renew –dry-run
成功更新返回:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Processing /etc/letsencrypt/renewal/your.site.com.conf
Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for your.site.com
Waiting for verification…
Cleaning up challenges
new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/your.site.com/fullchain.pem
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/your.site.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
IMPORTANT NOTES:
Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
使用crontab -e的命令来启用自动更新证书任务:
sudo crontab -e
添加配置:
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
上面的执行时间为:每周一半夜2点30分执行renew任务。
本文标题:ubuntu安装nginx启用HTTPS并端口重定向
文章作者:Mr Bluyee
发布时间:2018-06-07
最后更新:2019-07-15
版权声明:The author owns the copyright, please indicate the source reproduced.