当前位置:theitroad>在CentOS 8上如何为Nginx配置HTTPS

在CentOS 8上如何为Nginx配置HTTPS

时间:2019-11-20 08:52:50  来源:igfitidea点击:

在CentOS 8服务器上,如何为Nginx服务器配置SSL证书?
在CentOS 8上如何使用Lets Encrypt设置和配置Nginx?

安装所需的软件

使用yum命令安装git,wget,curl和bc软件包:

sudo yum install git bc wget curl socat

安装acme.sh

克隆仓库:

cd /tmp/
git clone https://github.com/Neilpang/acme.sh.git

在系统上安装acme.sh客户端:

cd acme.sh/
sudo -i
./acme.sh --install

安装后为了使别名生效,必须关闭当前终端,然后再次重新打开。或只需执行以下源命令:

sudo source ~/.bashrc

检查安装是否成功:

acme.sh --version

https://github.com/Neilpang/acme.sh v2.8.4

为Nginx配置SSL证书

为www.theitroad.cc的域创建一个新配置,如下所示:

# vi /etc/nginx/conf.d/www.theitroad.cc.conf

内容如下:

# http port 80
server {
    listen      80;
    server_name www.theitroad.cc;
    access_log  /var/log/nginx/http_www.theitroad.cc_access.log;
    error_log   /var/log/nginx/http_www.theitroad.cc_error.log;
    root        /usr/share/nginx/html;
}

测试nginx的设置并重新加载nginx服务器:

# nginx -t
# systemctl restart nginx.service

创建dhparams.pem

创建一个新目录,运行openssl命令创建dhparams.pem文件

# mkdir -pv /etc/nginx/ssl/theitroad.cc/
# cd /etc/nginx/ssl/theitroad.cc/
# openssl dhparam -out dhparams.pem -dsaparam 4096

获取ssl证书

sudo acme.sh --issue -d www.theitroad.cc -k 2048 --nginx
## 为两个域名获取证书 ##
sudo acme.sh --issue -d www.theitroad.cc -d www.theitroad.cc -k 2048 --nginx
## 为3个域名获取证书 ##
sudo acme.sh --issue -d theitroad.cc -d www.theitroad.cc -d www.theitroad.cc -k 2048 --nginx
sudo acme.sh --issue -d www.theitroad.cc -k 4096 --nginx

配置Nginx

申请SSL证书后,在nginx进行配置

$ sudo vi /etc/nginx/conf.d/www.theitroad.cc.conf

添加下面内容:

## http port 80: START http://www.theitroad.cc/ config ##
server {
    listen 80;
    listen [::]:80;
    access_log  /var/log/nginx/http_www.theitroad.cc_access.log;
    error_log   /var/log/nginx/http_www.theitroad.cc_error.log;
    server_name www.theitroad.cc;
    root        /usr/share/nginx/html;
    #
    # redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
    #
    return 301 https://$host$request_uri;
}
 
## https port 443: START https://www.theitroad.cc/ config ##
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name www.theitroad.cc;
    root /usr/share/nginx/html;
 
    # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
    ssl_certificate  /etc/nginx/ssl/theitroad.cc/www.theitroad.cc.cer;
    ssl_certificate_key /etc/nginx/ssl/theitroad.cc/www.theitroad.cc.key;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;
 
 
    ssl_dhparam /etc/nginx/ssl/theitroad.cc/dhparams.pem;
 
    #
    # Supports Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9 and above
    #
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;
 
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # replace with the IP address of your resolver
    resolver 8.8.8.8;
 
    ## add other config below such as fastcgi or php and so on ##
}

安装证书

将颁发的证书安装到nginx服务器:

# acme.sh --installcert -d www.theitroad.cc \
--key-file /etc/nginx/ssl/theitroad.cc/www.theitroad.cc.key \
--fullchain-file /etc/nginx/ssl/theitroad.cc/www.theitroad.cc.cer \
--reloadcmd 'systemctl reload nginx.service'

使用ss命令或netstat命令确保打开了端口:

# ss -tulpn

防火墙配置

在防火墙中打开端口443(HTTPS)

$ sudo firewall-cmd --add-service=https
$ sudo firewall-cmd --runtime-to-permanent

测试

浏览器打开下面网站

https://www.theitroad.cc

acme.sh相关命令

列出所有证书:

# acme.sh --list

为www.theitroad.cc续订证书:

# acme.sh --renew -d www.theitroad.cc

默认情况下,在crontab中添加了一条任务,自动续订证书:

# crontab -l

输出示例:

8 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

升级acme.sh客户端:

# acme.sh --upgrade

获得帮助:

# acme.sh --help | more

相关推荐

在Fedora Linux上如何更改root密码

在Fedora Linux上如何更改root密码

在Redhat Linux如何修改用户密码

在Redhat Linux如何修改用户密码

在Linux中如何修改FTP服务器vsftpd的端口号

在Linux中如何修改FTP服务器vsftpd的端口号

Linux如何修改用户密码

Linux如何修改用户密码