在Nginx Web服务器上配置TLS/SSL
修改配置文件
# vi /etc/nginx/conf.d/ssl.www.onitroad.com.conf
添加ssl设置,参考如下:
## START: SSL/HTTPS www.onitroad.com ###
server {
listen 443 http2;
server_name www.onitroad.com;
ssl on;
ssl_certificate /etc/nginx/ssl/letsencrypt/www.onitroad.com/www.onitroad.com.cer;
ssl_certificate_key /etc/nginx/ssl/letsencrypt/www.onitroad.com/www.onitroad.com.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_dhparam /etc/nginx/ssl/letsencrypt/www.onitroad.com/dhparams.pem;
ssl_prefer_server_ciphers on;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
## Send header to tell the browser to prefer https to http traffic
#add_header Strict-Transport-Security max-age=31536000;
## SSL logs ##
access_log /var/log/nginx/www.onitroad.com_ssl_access.log;
error_log /var/log/nginx/www.onitroad.com_ssl_error.log;
#-------- END SSL config -------##
root /var/www/localhost/htdocs;
index index.html index.htm index.php;
server_name www.onitroad.com;
# configure php
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
# rest of your config ##
}
## END SSL www.onitroad.com ######
安装相关软件包
使用apk命令在Alpine Linux上安装以下命令
# apk add netcat-openbsd bc curl wget git bash openssl
同时还要安装libressl
# apk add libressl
如何升级acme.sh客户端?
执行以下命令升级acme.sh客户端
# acme.sh --upgrade
安装acme.sh客户端
使用git克隆acme.sh客户端
# cd /tmp/ # git clone https://github.com/Neilpang/acme.sh.git
安装acme.sh客户端:
# cd acme.sh/ # sudo -i # ./acme.sh --install
重新登录 或者执行以下命令使别名生效:
# source ~/.bashrc
测试一下
# acme.sh
测试
使用浏览器打开https站点
https://www.onitroad.com
如何续订证书?
执行以下命令:
# acme.sh --renew -d www.onitroad.com
证书续订计划任务
crontab计划任务也会尝试为您续订证书。
# crontab -l
输出示例:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
生成全局dhparam文件
执行以下命令以创建全局dhparam文件:
# mkdir -p /etc/nginx/ssl/letsencrypt/www.onitroad.com/ # cd /etc/nginx/ssl/letsencrypt/www.onitroad.com/ # openssl dhparam -dsaparam -out dhparams.pem 4096
创建/.well-known/acme-challenge/目录
在站点根目录下创建,并且设置权限
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
将颁发的证书安装到Nginx Web服务器
执行以下命令:
# acme.sh --installcert -d www.onitroad.com \ --keypath /etc/nginx/ssl/letsencrypt/www.onitroad.com/www.onitroad.com.key \ --fullchainpath /etc/nginx/ssl/letsencrypt/www.onitroad.com/www.onitroad.com.cer \ --reloadcmd '/etc/init.d/nginx restart'
为域名申请证书
语法为:
# acme.sh --issue -w $D -d www.onitroad.com -k 4096
其中
--issue:申请新证书。-w /DocumentRootPath/:域名对应站点的根目录-d www.onitroad.com: 申请SSL证书的域名-k 4096:指定域密钥的长度。
在Alpine Linux上如何为nginx安装Lets Encrypt证书?
如何为nginx配置HTTPS?
在Alpine Linux上如何安装Lets Encrypt 免费SSL/TLS证书?
日期:2020-03-23 08:03:56 来源:oir作者:oir