Let's Encrypt HTTPS部署流程
Let's Encrypt HTTPS部署流程
目录:
获取SSL证书
配置Nginx
程序调整
资料引用
为什么使用HTTPS 当时为了逼格安全,来自Google的介绍
HTTPS protects the integrity of your website
HTTPS protects the privacy and security of your users
HTTPS is the future of the web
一. 获取SSL证书
1. 收费证书与免费证书
HTTPS普及率低的原因除了技术问题外,还有一个更重要的是SSL证书是要掏钱买的啊.一想到不仅要花费时间,精力还要自掏腰包,多少IT缩了,好在ISRG(Internet Security Research Group)对这种情况不能忍,搞出Let's Encrypt Project.
2. Let's Encrypt Project
Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”), a California public benefit corporation, to deliver this much-needed infrastructure in Q2 2015. The ISRG welcomes other organizations dedicated to the same ideal of ubiquitous, open Internet security.
现在FaceBook也支持该项目,个人而言,也是看到Facebook的新闻才知道这个项目的.在赞助商的页面,还发现一家中国公司云片,该公司做SMS服务的.至于攒足费多少,大家可以看看这里赞助费
3. 使用Let's Encrypt
下载安装certbot
./certbot-auto certonly --webroot -w /var/www/TypechoBlog -d xlcoder166.com -d www.xlcoder166.com
Autorenew
For Manal ./path/to/certbot-auto renew --dry-run
For Cron autorenew ./path/to/certbot-auto renew --quiet --no-self-upgrade
配置完成后注意重新Nginx(Web Service)
二. 配置
1. Nginx 配置
配置dhparam
$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
配置Config
listen 443 ssl
ssl_certificate /etc/letsencrypt/live/xlcoder166.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xlcoder166.com/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
注意这里只需要把默认HTTPS中某些粘贴至之前的Server中即可