上一篇文章 为七牛云存储空间绑定自定义域名,并运用七牛云供应的免费SSL证书,将自定义加名晋级为HTTPS 我们提到应用七牛的免费SSL证书,将自定义加名晋级为HTTPS的要领。
不知道有无小伙伴会像我一样忧郁一年七牛的SSL证书难免费了怎么办?每一个域名每一年都要几千块的付出关于个人和小企业来讲照样一笔不小的数量。
假如绑定七牛云空间的域名能运用 lets‘encrypt 等这类免费的网址那末就完美了。
但是七牛现在并不支撑 lets’encrypt 这类短时间的免费证书。
下面我教人人一种应用 Nginx + lets’encrypt 实现以https的体式格局接见七牛资本的要领。
一、准备工作
- 起首声明,运用这类要领相当于主动摒弃了七牛云存储的CDN上风,只合适接见量不高的个人和小公司。
- 要有一个域名。
- 七牛云空间应当已绑定了自定义的域名,不懂怎样绑定的请检察前一篇文章。笔者绑定的域名是 md.ws65535.top。
- 有一台带公网IP的Linux服务器。笔者服务器IP为 54.191.48.61,Linux环境为 ubuntu14.04。其他发行版道理雷同,只不过软件装置体式格局和目次构造略有不同。
二、装置 Nginx
1. 装置nginx
ubuntu@ip-172-31-27-111:~$ sudo apt-get install nginx2. 检察nginx版本
ubuntu@ip-172-31-27-111:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)3. 启动nginx
ubuntu@ip-172-31-27-111:~$ sudo service nginx start
ubuntu@ip-172-31-27-111:~$ ss -tln
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:80 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*4. 检察nginx是不是装置胜利
ubuntu@ip-172-31-27-111:~$ curl http://54.191.48.61
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>三、设置Nginx反向代办,将一切接见 qiniu-ssl.ws65535.top 的要求悉数转发到 md.ws65535.top
1. sudo vim /etc/nginx/sites-enabled/qiniu-ssl
server {
server_name qiniu-ssl.ws65535.top;
location / {
proxy_pass http://md.ws65535.top;
}
}编辑完成后运用 nginx -s reload 从新载入Nginx设置文件。
2. 登录域名服务商(这里以阿里云为例)的控制台,增加域名解析。
纪录范例为 A,主机纪录为 qiniu-ssl.ws65535.top,服务器IP为 54.191.48.61
3. 此时能够运用 qiniu-ssl.ws65535.top 替代 md.ws65535.top 来接见七牛空间资本
比方http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
能够接见到下面的资本http://md.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
四、装置 HTTPS 证书 【参考】
此处只纪录ubuntu14.04装置要领
1. 装置 Certbot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 2. 装置HTTPS证书
$ sudo certbot --nginx实例
ubuntu@ip-172-31-27-111:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: agency.ws65535.xyz
2: qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 #此处挑选将 qiniu-ssl.ws65535.top 设为https
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qiniu-ssl.ws65535.top
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/qiniu-ssl
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 #是不是强迫将http体式格局接见的要求跳转到以HTTPS体式格局接见
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/qiniu-ssl
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://qiniu-ssl.ws65535.top
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem
Your cert will expire on 2018-11-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3. 此时再检察 设置文件 /etc/nginx/sites-enabled/qiniu-ssl,已被 certbot 做了修正
ubuntu@ip-172-31-27-111:~$ cat /etc/nginx/sites-enabled/qiniu-ssl
server {
server_name qiniu-ssl.ws65535.top;
location / {
proxy_pass http://md.ws65535.top;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = qiniu-ssl.ws65535.top) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name qiniu-ssl.ws65535.top;
listen 80;
return 404; # managed by Certbot
}4. 此时再运用 http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg 接见七牛云空间的资本,会被强迫跳转到 https://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
5. 因为 letsencrypt 供应的SSL证书有效期为90天,所以要增加定时使命按期更新证书
sudo vim /etc/crontab
# 每个月自动更新ssl证书
19 3 1 * * root /usr/bin/certbot renew --dry-run