如何在Alpine Linux上使用Lets Encrypt证书保护Nginx
时间:2020-01-09 10:39:22 来源:igfitidea点击:
我已经在Alpine Linux上安装并设置了基于Nginx的常规HTTP服务器。
如何使用letencrypt免费的SSL/TLS证书配置Nginx Web服务器?
Nginx是一个免费的开源Web服务器。
您需要nginx才能显示静态或动态网页。
Nginx还可以充当反向代理和负载平衡器。
Lets Encrypt是一个免费的证书颁发机构,可为传输层安全性(TLS)加密提供免费的X.509证书。
本教程介绍了如何在Alpine Linux上安装Lets Encrypt for nginx。
如何在Alpine上使用Lets Encrypt证书保护Nginx
让我们看一下所有命令来配置和设置Lets Encrypt SSL/TLS for nginx。
步骤1安装
首先,您需要使用apk命令在Alpine Linux上安装以下软件包,包括openssl:
# apk add netcat-openbsd bc curl wget git bash openssl
输出示例:
(1/8) Installing bc (1.07.1-r0) (2/8) Installing curl (7.61.1-r1) (3/8) Installing expat (2.2.5-r0) (4/8) Installing pcre2 (10.31-r0) (5/8) Installing git (2.18.1-r0) (6/8) Installing git-bash-completion (2.18.1-r0) (7/8) Installing netcat-openbsd (1.130-r1) (8/8) Installing wget (1.19.5-r0) Executing busybox-1.28.4-r3.trigger OK: 57 MiB in 69 packages
还要安装libressl,运行以下apk命令:
# apk add libressl
(1/1) Installing libressl (2.7.4-r0) Executing busybox-1.28.4-r3.trigger OK: 57 MiB in 70 packages
步骤2安装acme.sh客户端
执行以下命令以克隆acme.sh客户端,执行:
# cd /tmp/ # git clone https://github.com/Neilpang/acme.sh.git
输出示例:
Cloning into 'acme.sh'... remote: Counting objects: 4762, done. remote: Compressing objects: 100% (6/6), done. remote: Total 4762 (delta 2), reused 8 (delta 2), pack-reused 4754 Receiving objects: 100% (4762/4762), 1.69 MiB | 0 bytes/s, done. Resolving deltas: 100% (2516/2516), done.
要安装acme.sh客户端,请执行:
# cd acme.sh/ # sudo -i # ./acme.sh --install
输出示例:
[Sat Jul 29 11:20:29 GMT 2016] Installing to /root/.acme.sh [Sat Jul 29 11:20:29 GMT 2016] Installed to /root/.acme.sh/acme.sh [Sat Jul 29 11:20:29 GMT 2016] Installing alias to '/root/.bashrc' [Sat Jul 29 11:20:29 GMT 2016] OK, Close and reopen your terminal to start using acme.sh [Sat Jul 29 11:20:29 GMT 2016] Installing cron job 0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null [Sat Jul 29 11:20:29 GMT 2016] Good, bash is found, so change the shebang to use bash as preferred. [Sat Jul 29 11:20:29 GMT 2016] OK
安装后,必须关闭当前终端,然后再次重新打开以使别名生效。
或只需执行以下命令:
# source ~/.bashrc
测试一下
# acme.sh
步骤3建立/.well-known/acme-challenge/目录
执行以下命令(根据您的设置将" D"设置为实际的" DocumentRoot"路径):
# D=/var/www/localhost/htdocs
# mkdir -vp ${D}/.well-known/acme-challenge/
###---[ NOTE: Adjust permission as per your setup ]---###
# chown -R nginx:nginx ${D}/.well-known/acme-challenge/
# chmod -R 0555 ${D}/.well-known/acme-challenge/
步骤4生成全局dhparam文件
首先,您必须安装libressl:
# apk install libressl
接下来,执行以下命令以创建全局dhparam文件。
运行:
# mkdir -p /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/ # cd /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/ # openssl dhparam -dsaparam -out dhparams.pem 4096
步骤4为newsletter.theitroad.local域颁发证书
语法为:
# acme.sh --issue -w $D -d newsletter.theitroad.local -k 4096
其中:
--issue:颁发新证书。- -w/DocumentRootPath /:指定用于Web根模式的Web根文件夹。
-d newsletter.theitroad.local:指定一个域,用于发布,续订或撤销等。可以多次使用。- -k 4096:指定域密钥的长度。
步骤5在Nginx Web服务器上配置TLS/SSL
编辑以下文件:
# vi /etc/nginx/conf.d/ssl.newsletter.theitroad.local.conf
## START: SSL/HTTPS newsletter.theitroad.local ###
server {
listen 443 http2;
server_name newsletter.theitroad.local;
ssl on;
ssl_certificate /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/newsletter.theitroad.local.cer;
ssl_certificate_key /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/newsletter.theitroad.local.key;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
ssl_dhparam /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/dhparams.pem;
ssl_prefer_server_ciphers on;
## Improves TTFB by using a smaller SSL buffer than the nginx default
ssl_buffer_size 8k;
## Enables OCSP stapling
ssl_stapling on;
resolver 8.8.8.8;
ssl_stapling_verify on;
## Send header to tell the browser to prefer https to http traffic
#add_header Strict-Transport-Security max-age=31536000;
## SSL logs ##
access_log /var/log/nginx/newsletter.theitroad.local_ssl_access.log;
error_log /var/log/nginx/newsletter.theitroad.local_ssl_error.log;
#-------- END SSL config -------##
root /var/www/localhost/htdocs;
index index.html index.htm index.php;
server_name newsletter.theitroad.local;
# configure php
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include fastcgi.conf;
}
# rest of your config ##
}
## END SSL newsletter.theitroad.local ######
将颁发的证书安装到Nginx Web服务器
执行以下命令:
# acme.sh --installcert -d newsletter.theitroad.local \ --keypath /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/newsletter.theitroad.local.key \ --fullchainpath /etc/nginx/ssl/letsencrypt/newsletter.theitroad.local/newsletter.theitroad.local.cer \ --reloadcmd '/etc/init.d/nginx restart'
步骤6进行测试
打开浏览器,然后输入以下网址:
https://newsletter.theitroad.local
关于Cron工作的说明
计划任务也会尝试为您续订证书。
默认情况下按如下方式安装(您无需采取任何措施):
# crontab -l
示例工作:
0 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
如何手动续订证书?
执行以下命令:
# acme.sh --renew -d newsletter.theitroad.local
如何升级acme.sh客户端?
执行以下命令以将acme.sh客户端升级到来自https://github.com/Neilpang/acme.sh的最新代码
# acme.sh --upgrade
