初衷
由于IOS在极力封杀http请求,所以抽空先把刚刚部署好的Web服务加上https支持。
使用90天免费并且可无限续签的 Let's Encrypt
Let's Encrypt是一个良心的CA,因为普通商业CA的价格对个人来说还是难以接受的。但它提供了90天的免费证书。
获取证书的方式也很简单,因为它提供了完全自动化的解决方案:
## 放置路径mkdir /var/www/letsencrypt sudo apt-get install certbot sudo certbot certonly --webroot --agree-tos --no-eff-email --email yourname@163.com -w /var/www/letsencrypt -d app.airoubo.com
申请ok了。
配置Nginx
创建challenge目录:
sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
创建letsencrypt.conf文件并添加:/etc/nginx/snippets/letsencrypt.conf
location ^~ /.well-known/acme-challenge/ { default_type "text/plain"; root /var/www/letsencrypt; }
创建ssl.conf文件并添加:/etc/nginx/snippets/ssl.conf
ssl_session_timeout 1d;ssl_session_cache shared:SSL:50m;ssl_session_tickets off;ssl_protocols TLSv1.2;ssl_ciphers EECDH+AESGCM:EECDH+AES;ssl_ecdh_curve secp384r1;ssl_prefer_server_ciphers on;ssl_stapling on;ssl_stapling_verify on;add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";add_header X-Frame-Options DENY;add_header X-Content-Type-Options nosniff;
修改主配置文件:
# the upstream component nginx needs to connect toupstream django { server unix:///data/django/rouboApi/rouboapi.scok; # for a file socket #server 127.0.0.1:8001; # for a web port socket (we'll use this first)}# configuration of the serverserver { # the port your site will be served on listen 80; # the domain name it will serve for server_name app.airoubo.com; # substitute your machine's IP address or FQDN include /etc/nginx/snippets/letsencrypt.conf; charset utf-8; # max upload size client_max_body_size 75M; # adjust to taste # Django media #location /media { # alias /path/to/your/mysite/media; # your Django project's media files - amend as required #} location /static { alias /data/django/rouboApi/static; # your Django project's static files - amend as required } # Finally, send all non-media requests to the Django server. location /roubo { uwsgi_pass django; include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed } }## httpsserver { # the port your site will be served on listen 443 ssl http2; listen [::]:443 ssl http2; # the domain name it will serve for server_name app.airoubo.com; # substitute your machine's IP address or FQDN include /etc/nginx/snippets/letsencrypt.conf; charset utf-8; ssl_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/app.airoubo.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem; include /etc/nginx/snippets/ssl.conf; # max upload size client_max_body_size 75M; # adjust to taste # Django media #location /media { # alias /path/to/your/mysite/media; # your Django project's media files - amend as required #} location /static { alias /data/django/rouboApi/static; # your Django project's static files - amend as required } # Finally, send all non-media requests to the Django server. location /roubo { uwsgi_pass django; include /etc/nginx/uwsgi_params; # the uwsgi_params file you installed } }
重启nginx后,就可以使用https访问服务了。
自动续签
虽然有90天的期限,但是支持无限续签。所以我们只要定时续签就可以了。
使用上面的certbot工具,可以看下man certbot,它下面有一个renew参数用于更新证书。因为证书更新之后,我们需要重启nginx服务,刚好,它还有一个--renew-hook的参数,支持renew成功之后hook执行我指定的脚本。
我们在/etc/letsencrypt/renewhook.sh脚本中加入重启nginx的动作:
#!/bin/bashservice nginx restart
在root下增加crontab:
sudo crontab -e
设置每月的1号的8点钟执行更新:
00 8 1 * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
作者:萝卜日志
链接:https://www.jianshu.com/p/46b2c2798abe
点击查看更多内容
为 TA 点赞
评论
共同学习,写下你的评论
评论加载中...
作者其他优质文章
正在加载中
感谢您的支持,我会继续努力的~
扫码打赏,你说多少就多少
赞赏金额会直接到老师账户
支付方式
打开微信扫一扫,即可进行扫码打赏哦