0x01: 背景
博客经常不更新,服务器还时不时挂掉一次,导致 PageRank 基本是负的了,不过技术上要跟的上更新啊! 微信小程序接口必须是 https, 这次就当是练手了。
0x02: 整体思路流程
确保自己的域名解析全部是
A 记录
使用 Let’s Encrypt 证书, Certbot 安装证书
使用
Crontab
自动Renew
证书配置 Nginx ,
SSL Server
将 HTTP 跳转到 HTTPS , 将
WWW
跳转到NON-WWW
用检测工具检测一下自己 HTTPS 的评级
0x03: 检查自己的域名解析是否是A记录
刚开始使用 Certbot
安装证书的时候,老是报错,经过搜索发现,原来自己的域名有 CNAME
解析的。 所以在安装证书钱,请确保自己的域名都是A记录解析
0x04: 使用免费的 Let’s Encrypt 证书
关于免费的证书,这里有其他选项可供选择:
阿里云免费的 : Symantec 证书
Let’s Encrypt :免费证书
一站式解决方案: cloudflare
根据 Lets’ Encrypt 官网说明,我们使用推荐的 Certbot
安装我们的证书。 当然你也可以选择 acme-tiny 来安装证书。
我的服务器环境是 CentOS 7
和 Nginx/1.10.1
, 这里强烈推荐大家将Nginx 升级到最新的版本,新版本在SSL配置上比较省事。
//安装Certbot
sudo yum install certbot
//安装命令很简单, -w 后面跟网站根目录, -d 就是你要添加证书的域名,如果有多个域名,多个-d就可以了
certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com
如果顺利,他会提示出安装成功,证书会保存在 /etc/letsencrypt/live/example.com/
里面。
0x05: 使用 Crontab 定时Renew 证书
因为是免费证书, 所以有一个有效期是90天,到期之后需要 Renew
一下。 官方推荐是每天检查用任务 Renew
两次,因为如果证书没过期,他就只是检测一下,并不会做其他操作。这里我们设置的定时任务是每天检查一次。
$ crontab -e
10 6 * * * certbot renew --quiet
//列出任务看看是否添加成功
$ crontab -l
0x06: 配置NGINX, SSL Server
节约生命,请使用神器: Mozilla出品的 SSL配置生成器
使用生成器需要填写 nginx
和 openssl
版本, 用下面命令进行查看
//查看nginx版本
nginx -v
//查看openssl 版本
yum info openssl
//如果需要更新openssl
yum update openssl
下面就是我生成的配置(nginx: 1.10.1, openssl: 1.0.1e)
server {
server_name example.com wwww.example.com;
# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
#resolver <IP DNS resolver>;
server_name example.com;
index index.html;
root /home/wwwroot/example.com;
location ~ .*\.(ico|gif|jpg|jpeg|png|bmp|swf)$
{
access_log off;
expires 1d;
}
location ~ .*\.(js|css|txt|xml)?$
{
access_log off;
expires 12h;
}
location / {
try_files $uri $uri/ =404;
}
access_log /home/wwwlogs/example.com.log access;
}
上面配置的第一个 Server
将所有的 http 请求跳转到 https 请求上。 其中 ssl_dhparam
这个参数的 .pem
用下面命令生成:
openssl dhparam -out /etc/letsencrypt/live/example.com/dhparam.pem 2048
现在加上https看一下效果吧!
0x07: 将WWW跳转到NON-WWW
为了SEO,网站使用 WWW 前缀,或者全部不使用 WWW,要实现的效果就是将下面三种情况,
统统跳转到 https://example.com
http://example.com
http://www.example.com
https://www.example.com
0x06中的配置,第一个 server
已经将处理好钱两种情况, 现在来处理第三种情况。
这个配置主要需要注意
的是,这里也要加上所有的 ssl
配置参数。
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
# certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;
# intermediate configuration. tweak to your needs.
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
ssl_prefer_server_ciphers on;
# HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
add_header Strict-Transport-Security max-age=15768000;
# OCSP Stapling ---
# fetch OCSP records from URL in ssl_certificate and cache them
ssl_stapling on;
ssl_stapling_verify on;
## verify chain of trust of OCSP response using Root CA and Intermediate certs
#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;
server_name www.example.com;
return 301 https://example.com$request_uri;
}