Let's Encrypt HTTPS部署流程

Let's Encrypt HTTPS部署流程

目录:

  1. 获取SSL证书

  2. 配置Nginx

  3. 程序调整

  4. 资料引用


为什么使用HTTPS 当时为了逼格安全,来自Google的介绍

  1. HTTPS protects the integrity of your website

  2. HTTPS protects the privacy and security of your users

  3. HTTPS is the future of the web

一. 获取SSL证书

1. 收费证书与免费证书

HTTPS普及率低的原因除了技术问题外,还有一个更重要的是SSL证书是要掏钱买的啊.一想到不仅要花费时间,精力还要自掏腰包,多少IT缩了,好在ISRG(Internet Security Research Group)对这种情况不能忍,搞出Let's Encrypt Project.

2. Let's Encrypt Project
Mozilla Corporation, Cisco Systems, Inc., Akamai Technologies, Electronic Frontier Foundation, IdenTrust, Inc., and researchers at the University of Michigan are working through the Internet Security Research Group (“ISRG”), a California public benefit corporation, to deliver this much-needed infrastructure in Q2 2015. The ISRG welcomes other organizations dedicated to the same ideal of ubiquitous, open Internet security.

现在FaceBook也支持该项目,个人而言,也是看到Facebook的新闻才知道这个项目的.在赞助商的页面,还发现一家中国公司云片,该公司做SMS服务的.至于攒足费多少,大家可以看看这里赞助费

3. 使用Let's Encrypt
  1. 下载安装certbot

  2. ./certbot-auto certonly --webroot -w /var/www/TypechoBlog -d xlcoder166.com -d www.xlcoder166.com

  3. Autorenew

    1. For Manal ./path/to/certbot-auto renew --dry-run

    2. For Cron autorenew ./path/to/certbot-auto renew --quiet --no-self-upgrade

    3. 配置完成后注意重新Nginx(Web Service)

二. 配置

1. Nginx 配置
  1. 配置dhparam

$ sudo mkdir /etc/nginx/ssl
$ sudo openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
  1. 配置Config

listen 443 ssl
ssl_certificate /etc/letsencrypt/live/xlcoder166.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xlcoder166.com/privkey.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;

注意这里只需要把默认HTTPS中某些粘贴至之前的Server中即可

四. 资料引用

  1. Let's encrypt Getting Started

  2. Why you should always use HTTPS

  3. Certbot ubuntu14.04 nginx

  4. Let's Encrypt SSL证书配置

  5. Mozilla SSL Configuration Generator

  6. Let's Encrypt 给网站加 HTTPS 完全指南

标签: none

添加新评论