Nginx配置Let's Encrypt https证书
Posted i书生
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Nginx配置Let's Encrypt https证书相关的知识,希望对你有一定的参考价值。
下载源码
wget http://nginx.org/download/nginx-1.16.1.tar.gz
安装依赖
#PCRE
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
#OpenSSL
wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz
#zlib
wget http://www.zlib.net/zlib-1.2.11.tar.gz
编译安装
#解压之后
nginx-1.16.1 pcre-8.43 openssl-1.0.2t zlib-1.2.11
#预编译
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.43 --with-openssl=../openssl-1.0.2t
#编译
make
#安装
make install
启动
/usr/local/nginx/sbin/nginx
利用acem.sh生成证书
按照acem.sh
curl https://get.acme.sh | sh
阿里DNS解析
export Ali_Key="asdasdsdasdasd"
export Ali_Secret="asdasdsdasdasdasdasd"
acme.sh --issue --dns dns_ali -d domian.com -d *.domian.com
cloudflare DNS 解析
export CF_Key="asdasdsdasdasdasdasd"
export CF_Email="xxxxx@dd.com"
acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com
生成好之后,会有提示信息,并且有证书的保存位置
nginx https配置
server {
listen 443 ssl;
server_name domain.com;
ssl_certificate /root/.acme.sh/domain.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
client_max_body_size 1024M;
proxy_connect_timeout 60;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
http 转https
server {
listen 80;
server_name demo.domain.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
访问
https://domain.com
更新
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
证书的有效期为3个月,到期之后执行上面脚本进行更新,也可以添加脚本到系统的定时任务里面,定时执行。
以上是关于Nginx配置Let's Encrypt https证书的主要内容,如果未能解决你的问题,请参考以下文章
centos 7 nginx 配置Let's Encrypt证书,并自动更新
centos+nginx申请Let's Encrypt 通配符HTTPS证书
let's encrypt生成免费https证书 ubuntu+tomcat+nginx+let's encrypt