Nginx 配置 Let's Encrypt SSL证书
安装 Let’s Encrypt
yum install epel-release -y
yum install certbot -y
申请证书
# 1. 创建网站目录
mkdir -p /home/www/www.demo.com
# 2. 申请证书
certbot certonly --webroot \
-w /home/www/www.demo.com \
-d www.demo.com \
-m demo@email.com \
--agree-tos
- –webroot 是运行模式,
- standalone:需要停止当前的 web server 服务,让出 80 端口,由客户端内置的 web server 启动与Let’ s Encrypt通信。
- webroot:不需要停止当前 web server,但需要在域名根目录下创建一个临时目录,并要保证外网通过域名可以访问这个目录。
- -w 指定网站所在目录
- -d 指定网站域名
- -m 指定联系邮箱,填写真实有效的,letsencrypt会在证书在过期以前发送预告的通知邮件
- –agree-tos 表示接受相关协议
配置 Nginx
# 1. 创建 nginx 配置文件
# /etc/nginx/conf.d/www.demo.com.conf
server {
listen 80;
server_name www.demo.com demo.com;
return 301 https://www.demo.com$request_uri;
}
server {
listen443 http2 ssl;
ssl on;
server_name www.demo.com;
index index.html index.htm index.php;
charset utf-8;
root /home/www/liruwei.cn;
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
add_header Strict-Transport-Security max-age=15768000;
ssl_certificate /etc/letsencrypt/live/liruwei.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/liruwei.cn/privkey.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
location ~ /.well-known {
allow all;
}
}
# 2. 重启 nginx
systemctl restart nginx