为nginx反向代理配置Let's Encrypt

字数 421阅读 3520
nginx-Let's Encrypt

在Ubuntu系统上为nginx反向代理站点配置Let's Encrypt,实现SSL即https访问:

安装Let's Encrypt客户端

下载Let's Encrypt客户端certbot-auto/usr/local/sbin目录:

$ cd /usr/local/sbin
$ sudo wget https://dl.eff.org/certbot-auto

使该脚本可执行:

$ sudo chmod a+x /usr/local/sbin/certbot-auto

这样一来,certbot-auto应该已经可以使用了。

获取Let's Encrypt证书

修改nginx配置文件中server区块,使子目录.well-known指向本地:

server {
    listen 80;
    server_name sub.domain.com www.sub.domain.com;
    […]
    location /.well-known {
            alias /var/www/sub.domain.com/.well-known;
    }

    location / {
        # proxy commands go here
        […]
    }
}

Let's Encrypt服务器为尝试访问http://sub.domain.com/.well-known来验证服务器。
然后就可以使用certbot-auto客户端来获取证书了,获取证书时需要输入你的Email并接受用户条款:

certbot certonly --webroot -w /var/www/sub.domain.com/ -d sub.domain.com -d www.sub.domain.com

Enter an email address

如果成功获取证书,屏幕上会显示证书存放位置和过期时间。你的密钥和证书存放在/etc/letsencrypt/live/sub.domain.com/目录。

配置nginx启用证书

在配置文件上新建一个server语块:

server {
    listen 443 ssl;

    # if you wish, you can use the below line for listen instead
    # which enables HTTP/2
    # requires nginx version >= 1.9.5
    # listen 443 ssl http2;

    server_name sub.domain.com www.sub.domain.com;

    ssl_certificate /etc/letsencrypt/live/sub.domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sub.domain.com/privkey.pem;

    # Turn on OCSP stapling as recommended at 
    # https://community.letsencrypt.org/t/integration-guide/13123 
    # requires nginx version >= 1.3.7
    ssl_stapling on;
    ssl_stapling_verify on;

    # Uncomment this line only after testing in browsers,
    # as it commits you to continuing to serve your site over HTTPS
    # in future
    # add_header Strict-Transport-Security "max-age=31536000";

    access_log /var/log/nginx/sub.log combined;

    # maintain the .well-known directory alias for renewals
    location /.well-known {
        alias /var/www/sub.domain.com/.well-known;
    }

    location / {
        # proxy commands go here as in your port 80 configuration
        […]
    }
}

重新载入nginx:

service nginx reload

现在,在浏览器中访问https://sub.domain.comhttps://www.sub.domain.com,测试一下HTTPS是否正常、浏览器有没有报证书错误。

HTTP重定向至HTTPS

把nginx配置文件中80端口的server语块改为如下:

server {
    listen 80;
    server_name sub.domain.com www.sub.domain.com;
    rewrite     ^   https://$host$request_uri? permanent;
}

在443端口的配置中,反注释下面语句,使其启用HSTS(HTTP严格传输安全):

add_header Strict-Transport-Security "max-age=31536000";

重新载入nginx即可。

自动更新证书

你可以使用以下语句来更新所有超过60天的证书:

certbot-auto renew --renew-hook "service nginx reload"

也可以把更新命令写入/etc/crontab,实现自动更新:

# at 4:47am/pm, renew all Let's Encrypt certificates over 60 days old
47 4,16   * * *   root   certbot-auto renew --quiet --renew-hook "service nginx reload"

测试更新操作:

certbot-auto --dry-run renew

强制提前更新证书:

certbot-auto renew --force-renew --renew-hook "service nginx reload"

你可以无数次测试更新操作,但是实际的更新证书有频率限制


参考资料

推荐阅读更多精彩内容