Let’s Encrypt提供了免费的证书,通过certbot工具可以快速获取证书,然后配合nginx就可以给博客启用https了

安装新版本的nginx

nginx的版本要大于等于1.9.5

yum install pcre-devel openssl-devel

useradd -M -r -s /sbin/nologin -d /opt/nginx-1.10.2/ www

mkdir -p /var/tmp/nginx/client/
mkdir -p /var/tmp/nginx/proxy/
mkdir -p /var/tmp/nginx/fcgi/

wget http://nginx.org/download/nginx-1.10.2.tar.gz
tar vxf nginx-1.10.2.tar.gz
cd nginx-1.10.2

./configure \
  --prefix=/opt/nginx-1.10.2 \
  --error-log-path=/var/log/nginx/error.log \
  --pid-path=/var/run/nginx/nginx.pid  \
  --lock-path=/var/lock/nginx.lock \
  --user=www \
  --group=www \
  --with-http_ssl_module \
  --with-http_v2_module \
  --with-http_stub_status_module \
  --with-http_gzip_static_module \
  --http-log-path=/var/log/nginx/access.log \
  --http-client-body-temp-path=/var/tmp/nginx/client/ \
  --http-proxy-temp-path=/var/tmp/nginx/proxy/ \
  --http-fastcgi-temp-path=/var/tmp/nginx/fcgi/ \
  --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi/

make install

获取 Let's Encrypt提供的证书安装

安装certbot工具,本文的方法适合CentOS7,其他系统通过https://certbot.eff.org/网站查看

yum install -y epel-release
yum install -y certbot
certbot certonly --webroot -w /ver/webroot/coderim/ -d coder.im -d www.coder.im --email [email protected] --agree-tos

产生本机的dhparam

mkdir /opt/nginx-1.10.2/ssl -p
openssl dhparam -out /opt/nginx-1.10.2/ssl/dhparam.pem 2048

配置nginx

ssl配置参数可以通过https://mozilla.github.io/server-side-tls/ssl-config-generator/在线查看,这个网站提供了多种web server的配置方法
nginx配置可以参考:https://gist.github.com/plentz/6737338

验证

通过https://www.ssllabs.com/ssltest/、https://httpsecurityreport.com/测试配置效果,最佳的是A+和100


Comments