免费https证书生成
Let's Encrypt证书免费泛域名SSL证书申请及其自动续签,但是申请过程比较复杂, 这里我们使用简化申请过程的脚本acme.sh, acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书
一 安装 acme.sh
acme.sh 是一个轻量级的、易于使用的命令行工具,用于自动获取和管理 Let's Encrypt 证书。
curl https://get.acme.sh | sh -s email=youremail@gmail.com
安装完成后,可以在 /root/.acme.sh 目录下找到 acme.sh 的相关文件。
再设置一下别名
alias acme.sh=~/.acme.sh/acme.sh
二 获取 HTTPS 证书
acme.sh --issue -d yourdomain.com -d www.yourdomain.com --webroot /root/docker-lnmp/www
查看证书信息: acme.sh --list
三 安装证书到 Nginx
注意不要直接使用 ~/.acme.sh/目录下的证书文件,这都是内部使用的,目录结构可能会发生变化,应该直接使用以下命令来copy到对应位置
acme.sh --install-cert -d voocel.com \
--key-file /root/docker-lnmp/nginx/cert/key.pem \
--fullchain-file /root/docker-lnmp/nginx/cert/cert.pem \
--reloadcmd "docker restart docker-lnmp-nginx-1"
这里的路径改成自己的
四 Nginx配置
user xfs;
worker_processes 2;
error_log /var/log/nginx/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
accept_mutex on;
accept_mutex_delay 500ms;
multi_accept on;
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
# 隐藏版本号
server_tokens off;
client_max_body_size 20m;
# 开启gzip
gzip on;
# 启用gzip压缩的最小文件,小于设置值的文件将不会压缩
gzip_min_length 1k;
# buffer缓冲
gzip_buffers 4 16k;
# gzip 压缩级别,1-10,数字越大压缩的越好,也越占用CPU时间,后面会有详细说明
gzip_comp_level 2;
# 进行压缩的文件类型。javascript有多种形式。其中的值可以在 mime.types 文件中找到。
gzip_types text/plain application/javascript application/x-javascript text/css application/xml text/javascript application/x-httpd-php image/jpeg image/gif image/png;
# 是否在http header中添加Vary: Accept-Encoding,建议开启
gzip_vary on;
# 禁用IE 6 gzip
gzip_disable "MSIE [1-6]\.";
server {
listen 88;
server_name localhost;
root /var/www/html/ddz-vue/dist;
location / {
#index index.html index.htm;
try_files $uri $uri/ /index.html;
}
}
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
# if ($http_referer ~* ^http://www.1vgs.com$) {
# return 500;
# }
rewrite ^ https://$http_host$request_uri? permanent;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
access_log off;
expires 30d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
access_log off;
expires 24h;
}
location ~* ^.+\.(html|htm)$ {
expires 1h;
}
location ~* ^.+\.(eot|ttf|otf|woff|svg)$ {
access_log off;
expires max;
}
#location / {
# try_files $uri $uri/ /index.php?$query_string;
# index index.html index.htm index.php;
#}
root /var/www/html;
location / {
index index.html index.php index.htm;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=/$1 last;
break;
}
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
location ~ \.php$ {
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
# listen 443 ssl;
# server_name voocel.com;
#keepalive_timeout 100;
#valid_referers none blocked server_names
# https://segmentfault.com;
#if ($invalid_referer) {
# return 403;
#}
#禁止使用ip直接访问
if ( $host ~* "\d+\.\d+\.\d+\.\d+" ) {
return 501;
}
ssl_certificate /etc/nginx/cert/cert.pem;
ssl_certificate_key /etc/nginx/cert/key.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
root /usr/share/nginx/html/blog/public;
location ~* ^.+\.(ico|gif|jpg|jpeg|png)$ {
access_log off;
expires 30d;
}
location ~* ^.+\.(css|js|txt|xml|swf|wav)$ {
access_log off;
expires 24h;
}
location ~* ^.+\.(html|htm)$ {
expires 1h;
}
location ~* ^.+\.(eot|ttf|otf|woff|svg)$ {
access_log off;
expires max;
}
location / {
#valid_referers https://segmentfault.com;
#if ($invalid_referer) {
# return 502;
#}
#root /www/project/myblog/public;
try_files $uri $uri/ /index.php?$query_string;
index index.html index.htm index.php;
}
location ~ \.php$ {
root /var/www/html/blog/public;
fastcgi_pass php:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
}
五 自动续期证书
acme.sh 安装成功后会自动创建 cron 执行定时任务,输入 crontab -l 命令,能看到如下输出:
54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
六 更新 acme.sh
目前由于 acme 协议和 letsencrypt CA 都在频繁的更新, 因此 acme.sh 也经常更新以保持同步.
升级 acme.sh 到最新版 :
acme.sh --upgrade
自动升级:
acme.sh --upgrade --auto-upgrade
关闭自动更新:
acme.sh --upgrade --auto-upgrade 0