Detailed Explanation of Nginx Configuration https Principle and Implementation Process
- 2021-09-05 01:18:26
- OfStack
Use the linux utility certbot to generate https certificates
This tool generates Let 's Encrypt certificates,
Let 's Encrypt Digital Certification Authority, Let' s Encrypt is a service provided by the Internet Security Research Group (ISRG, a non-profit organization)
Provide free SSL/TLS certificates
On December 3, 2015, the service entered the public beta stage and was officially open to the public.
On April 12, 2016, the project officially left the Beta stage.
By September 9, 2016, Let 's Encrypt had issued 10 million certificates.
Therefore, for most small and medium-sized websites, it is a choice worth considering.
https Configuration Steps
1 Open https://certbot. eff. org/Select the corresponding operating system and Web server
Here I choose the nginx server, on the CentOS7 server
2 Execute the command and modify the corresponding domain name parameters as needed.
certbot is installed through yum, certbot is packaged into epel source,
So install and start the epel library and install the epel source view link
https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F
To start the epel source, you can start the epel manually, or you can start it with the command yum-config-manager
Installing yum-config-manager
yum -y install yum-utils
Start epel
yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
3 Installing certbot
sudo yum install certbot python2-certbot-nginx
Two ways to obtain certificates: authenticator and installer
Use the webRoot plug-in to install, which requires that your server port 80 can be accessed normally (this domain name belongs to you)
The webRoot plug-in executes commands on the command line via certonly and--webroot (or-w)
certbot certonly -w /var/www/example -d www.example.com
certbot certonly-w webroot directory accessible by http-d to configure the domain name of https
The a/var/www/example above represents the root path to which the root root node points in the nginx configuration file
The webroot plug-in works by creating a temporary file ${webroot-path}/. well-known/acme-challenge for each requested domain.
Then, the encryption authentication server of Let issues an HTTP request to verify whether the DNS of each requested domain resolves to the server running certbot.
The access request is as follows
66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
So our server needs to open the access path. well-known/acme-challenge
For example,
server
{
listen 80;
server_name www.example.com;
index index.html ;
root /var/www/example;
. . .
location ~ /.well-known {
allow all;
}
}Specific http configuration file
server
{
listen 80;
server_name www.example.com;
index index.html ;
root /var/www/www.example.com;
location / {
proxy_redirect off;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#error_page 404 /404.html;
location /nginx_status
{
#stub_status on;
#access_log off;
}
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /data/log/nginx//var/www/www.example.com/-access.log;
error_log /data/log/nginx//var/www/www.example.com/-error.log;
}After the command is executed, the https certificate is generated in the/etc/letsencrypt/live directory
certbot certonly -w /var/www/example -d www.example.com
For example, the command above generates Certificate/etc/letsencrypt/live/www. example. com/fullchain. pem
Generate Certificate Key File/etc/letsencrypt/live/www.example.com/privkey.pem
Then we only need to add https configuration to the domain name, and our nginx configuration completes https
https corresponds to port 443
Specific https configuration file
server
{
listen 443 ssl http2;
#listen [::]:443 ssl http2;
server_name www.example.com;
index index.html index.htm index.php default.html default.htm default.php;
root /var/www/www.example.com/;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
location / {
proxy_redirect off;
proxy_pass http://localhost:8080;
proxy_set_header Host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
#error_page 404 /404.html;
include enable-php-pathinfo.conf;
location ~ /.well-known {
allow all;
}
location ~ /\.
{
deny all;
}
access_log /data/log/nginx/www.example.com-ssl-access.log;
error_log /data/log/nginx/www.example.com-ssl-error.logs;
}
View certificates for production
tree /etc/letsencrypt/live/
Certificate renewal
Let 's Encrypt generates a free certificate for 3 months, but we can renew the certificate indefinitely
certbot renew
Use the timer to automatically regenerate the certificate
0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' & & certbot renew
centos6 uses
1 Get the certbot client
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto
2 Stop nginx
service nginx stop
3 Generate Certificates
./certbot-auto certonly-standalone-email ` Your email address'-d ` Your domain address'
If the current website has multiple domain names, it needs to be added later, for example
./certbot-auto certonly-standalone-email ` Your email address `-d ` Your domain name 1 `-d ` Your domain name 2 `