启用https提高网站安全性
细心的老读者可能发现,本站现在全面启用了https,为啥捏?因为好看!哇哈哈哈……
这里记录一下Centos6系统上的nginx配置方法。这里我使用 letsencrypt 提供的免费证书,首先访问https://certbot.eff.org/,然后根据你的实际情况选择webserver和操作系统,这里为了通用性,我选择“Unspecified Webserver on Other UNIX”。
首先下载脚本并添加执行权限:
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
停止nginx或其他占用80端口的服务后执行:./certbot-auto certonly
会弹出一个文本方式的UI界面,这里为了方便我选择第二项:
Automatically use a temporary webserver (standalone)
然后根据提示一步步的填写邮箱、域名(多个之间使用逗号或者空格分割)后看见下面的提示就代表成功了:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
expire on 2016-09-21\. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to xxxx@xxx.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
紧接着编辑nginx的配置文件:
server
{
listen 80 default;
server_name _;
rewrite ^(.*) https://dear-shen.com/ permanent;
}
server
{
listen 443 ssl;
server_name dear-shen.com www.dear-shen.com;
ssl_certificate /etc/letsencrypt/live/dear-shen.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dear-shen.com/privkey.pem;
#省略部分配置....
}
根据你的实际情况进行修改后,重启nginx服务即可。如果启用用了防火墙的话,注意开放443端口。
另外记住,这个证书只有90天的有效期,需要自己进行手动刷新。方法也很简单首先停止nginx等占用80端口的服务后执行:
./path/to/certbot-auto renew --dry-run
如果上述命令执行正常的话,也可以设定计划任务执行:
./path/to/certbot-auto renew --quiet --no-self-upgrade
