本文采用GOOGLE 翻译
Let’s Encrypt是一个免费的https证书,您可以将其安装在便宜的VPS上,以获取免费的,经过浏览器验证的https。在本教程中,我们将逐步介绍在Debian 10上运行的Nginx主机上设置“让我们加密https”的过程。
我们将从头开始安装nginx,但不会在本教程中使用php-fpm和其他扩展。我将从Vultr上崭新的VPS开始。
本教程假定您已经设置了DNS记录。换句话说,如果您要设置www.example.com,则www.example.com已经具有指向您的VPS的A记录或CNAME。请注意,我们将使用的certbot安装程序将查询DNS,因此它必须能够正常运行。
安装和设置nginx
直接安装nginx:
apt-get update && apt-get upgrade apt-get install nginx
我将设置www.lowend.party并将其网络根目录放置在/web/www.lowend.party中。
让我们配置Web根目录和日志目录:
mkdir -p /web/www.lowend.party mkdir -p /var/log/nginx/www.lowend.party chown www-data:adm /var/log/nginx/www.lowend.party
配置日志和循环
我们希望为我们托管的每个域使用单独的日志,并希望轮换这些日志。我们可以使用Debian的日志轮换系统来完成此任务。为此,我们将适当的规则文件放在/etc/logrotate.d中。从nginx的基本日志轮换规则开始:
cp /etc/logrotated.d/nginx /etc/logrotate.d/nginx_domain_logs
现在编辑/etc/logrotate.d/nginx_domain_logs并进行如下修改:
# change this: /var/log/nginx/*.log { # to this: /var/log/nginx/*/*.log {
设置nginx http
在设置https之前,我们将设置http。我将在/web/www.lowend.party中放置一个占位符index.html:
www.lowend.party works!
现在看一下/ etc / nginx。/ etc / nginx / sites-available应该为我们可能托管的每个站点都有一个文件。然后,我们将符号链接到/ etc / nginx / sites-enabled来打开或关闭特定站点。
让我们通过创建/etc/nginx/sites-available/www.lowend.party创建一个基本的nginx配置:
server { server_name www.lowend.party; access_log /var/log/nginx/www.lowend.party/access.log; error_log /var/log/nginx/www.lowend.party/error.log; location / { root /web/www.lowend.party; index index.html; } }现在通过以下方式使其生效:
ln -s /etc/nginx/sites-available/www.lowend.party /etc/nginx/sites-enabled/www.lowend.party让我们语法检查该文件:
# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful现在重启nginx:
systemctl restart nginx然后,我访问了http://www.lowend.party并成功看到了我早期创建的HTML。
激活让我们加密
让我们从安装certbot开始,该软件包将为我们设置https并使我们的证书保持最新:apt-get install certbot python-certbot-nginx现在为魔术!运行以下命令:
certbot --authenticator webroot --installer nginx然后进行交互式安装。我的输入以粗体显示:
# certbot --authenticator webroot --installer nginx Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer nginx Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): raindog308@raindog308.com - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v02.api.letsencrypt.org/directory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (A)gree/(C)ancel: A - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about our work encrypting the web, EFF news, campaigns, and ways to support digital freedom. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - (Y)es/(N)o: N Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: www.lowend.party - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 1 Obtaining a new certificate Performing the following challenges: http-01 challenge for www.lowend.party Input the webroot for www.lowend.party: (Enter 'c' to cancel): /web/www.lowend.party Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/www.lowend.party Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/www.lowend.party - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://www.lowend.party (rest snipped)现在看一下/etc/nginx/sites-available/www.lowend.party:
server { server_name www.lowend.party; access_log /var/log/nginx/www.lowend.party/access.log; error_log /var/log/nginx/www.lowend.party/error.log; location / { root /web/www.lowend.party; index index.html; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/www.lowend.party/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/www.lowend.party/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.lowend.party) { return 301 https://$host$request_uri; } # managed by Certbot server_name www.lowend.party; listen 80; return 404; # managed by Certbotcertbot已执行以下操作:
为www.lowend.party提供了SSL认证
在/ etc /中加载了SSL配置
更新了/etc/nginx/sites-available/www.lowend.party,并放置了适当的nginx规则来提供HTTPS服务
还添加了一个条目,以便如果您在http上连接,它将重定向到https
在我的浏览器中转到http://www.lowend.party确认一切正常。