Detailed explanation of the principle and implementation process of Nginx configuration https

Use the Linux utility certbot to generate https certificates

This tool generates a Let's Encrypt certificate.

Let's Encrypt digital certificate certification agency, Let's Encrypt is a service provided by the Internet Security Research Group (ISRG, a non-profit organization)

Free SSL/TLS certificates provided

On December 3, 2015, the service entered the public beta stage and was officially launched to the public.

On April 12, 2016, the project officially left the Beta stage.

As of September 9, 2016, Let's Encrypt has issued 10 million certificates.

Therefore, for most small and medium-sized websites, it is an option worth considering.

Steps for https configuration

1Open https://certbot.eff.org/ and select the corresponding operating system and web server

Here I choose nginx server, on CentOS7 server

2Execute the command and modify the corresponding domain name parameters as needed.

Certbot needs to be installed through yum. Certbot is packaged into the epel source.

So install and start the epel library, install the epel source view link

https://fedoraproject.org/wiki/EPEL#How_can_I_use_these_extra_packages.3F

Start the epel source. You can start epel manually or with the yum-config-manager command.

Install yum-config-manager

yum -y install yum-utils

Start epel

yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional

3 Installing certbot

sudo yum install certbot python2-certbot-nginx

Two ways to obtain certificates: Authenticator and Installer

Use the webRoot plugin to install. This requires that port 80 of your server can be accessed normally (this domain name belongs to you)

The webRoot plugin passes certonly and --webroot (or -w) to the command line.

certbot certonly -w /var/www/example -d www.example.com

certbot certonly -w webroot directory that can be accessed by http -d domain name to configure https

The /var/www/example above represents the root path pointed to by the root node in the nginx configuration file

The webroot plugin works by creating a temporary file ${webroot-path}/.well-known/acme-challenge for each domain requested.

The Let's Encrypt validation server then makes HTTP requests to verify that the DNS of each requested domain resolves to the server running certbot.

The access request is as follows

66.133.109.36 - - [05/Jan/2016:20:11:24 -0500] "GET /.well-known/acme-challenge/HGr8U1IeTW4kY_Z6UIyaakzOkyQgPr_7ArlLgtZE8SX HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

So our server needs to open the access path .well-known/acme-challenge

For example,

server
  {
    listen 80;
    server_name www.example.com; 
    index index.html ;
    root /var/www/example;
  
    . . .
  
    location ~ /.well-known {
      allow all;
    }
  }

Specific http configuration file

server
  {
    listen 80;
    server_name www.example.com; 
    index index.html ;
    root /var/www/www.example.com;


    location / {
      proxy_redirect off;
      proxy_pass http://localhost:8080;
      proxy_set_header Host $host;
      proxy_set_header X-real-ip $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    #error_page 404 /404.html;

    location /nginx_status
    {
      #stub_status on;
      #access_log off;
    }

    location ~ /.well-known {
      allow all;
    }

    location ~ /\.
    {
      deny all;
    }
access_log /data/log/nginx//var/www/www.example.com/-access.log;
    error_log /data/log/nginx//var/www/www.example.com/-error.log;
}

After executing the command, the https certificate will be generated in the /etc/letsencrypt/live directory

certbot certonly -w /var/www/example -d www.example.com

For example, the command above will generate the certificate /etc/letsencrypt/live/www.example.com/fullchain.pem

Generate certificate key file /etc/letsencrypt/live/www.example.com/privkey.pem

Then we just need to add https configuration for the domain name, and our nginx will complete the https configuration

https corresponds to port 443

Specific https configuration file

server
  {
    listen 443 ssl http2;
    #listen [::]:443 ssl http2;
    server_name www.example.com;
    index index.html index.htm index.php default.html default.htm default.php;
    root /var/www/www.example.com/;
    
    ssl on;
    ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
    
   location / {
      proxy_redirect off;
      proxy_pass http://localhost:8080;
      proxy_set_header Host $host;
      proxy_set_header X-real-ip $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    #error_page 404 /404.html;

    include enable-php-pathinfo.conf;

    location ~ /.well-known {
      allow all;
    }

    location ~ /\.
    {
      deny all;
    }

    access_log /data/log/nginx/www.example.com-ssl-access.log;
    error_log /data/log/nginx/www.example.com-ssl-error.logs;  
}

View the production certificate

tree /etc/letsencrypt/live/

Certificate Renewal

The free certificate generated by Let's Encrypt is valid for 3 months, but we can renew the certificate unlimited times

certbot renew

Use a timer to automatically regenerate certificates

0 0,12 * * * python -c 'import random; import time; time.sleep(random.random() * 3600)' && certbot renew

CentOS 6 use

1 Get the certbot client

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

2 Stop nginx

service nginx stop

3 Generate Certificate

./certbot-auto certonly --standalone --email `your email address` -d `your domain name address`

If the current website has multiple domain names, you need to add them at the end, for example

./certbot-auto certonly --standalone --email `your email address` -d `your domain name 1` -d `your domain name 2`

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.