之前一直在用的LNMP、wcd等LNMP的安装脚本一夜之间都被收购了,为了自己的数据安全,开始折腾从apt安装各运行环境。今天先来记录一下apt安装nginx并配置Let's Encrypt。
一、安装nginx。
升级服务器环境
apt-get update -y && apt-get upgrade -y
安装nginx,无需选择,等待自动完成安装。
apt-get install nginx
完成后可以通过下面的命令对nginx进行管理。
sudo systemctl restart nginx #重启
sudo systemctl stop nginx #停止
sudo systemctl start nginx #启动
sudo systemctl status nginx #查看状态
二、配置nginx站点。
通过apt安装后的nginx目录在/etc/nginx,修改安装目录下nginx.conf文件。确保该文件里面有
include /etc/nginx/sites-available/*.conf;
之后的站点添加的文件都可以放在sites-available文件下,当然你自己也可以放在其他的目录,修改好这个文件即可。
添加域名文件。文件的配置可以参看宝塔或者LNMP的配置文件进行优化。还没有安装配置Let's Encrypt的话暂时不要打开443否则会出错。
server {
listen 80;
server_name example.com;
root /var/www/example.com;
index index.html;
# SSL 配置
ssl_certificate /etc/nginx/certs/example.com.crt;
ssl_certificate_key /etc/nginx/certs/example.com.key;
# 反向代理配置
location /api {
proxy_pass http://127.0.0.1:8080;
}
}
完成后可以通过nginx -t检查配置文件的完整性,如果有错误会进行提示。
如果多个站点,继续添加该配置文件即可。
三、安装配置Let's Encrypt。
首先安装需要的组件和客户端certbot
sudo apt install certbot python3-certbot-nginx
检查nginx站点的配置文件,确保配置文件里server_name有你需要申请Let's Encrypt的域名。
...
server_name example.com www.example.com;
...
类似这样的。
获取SSL证书
Certbot提供了多种通过插件获取SSL证书的方法。Nginx插件将负责重新配置Nginx并在必要时重新加载配置。要使用这个插件,请输入以下内容。
sudo certbot --nginx -d example.com -d www.example.com
如果你需要申请的是二级域名或者是一个域名的话,sudo certbot --nginx -d xxx.example.com 这样即可。
开始安装,第一个需要你输入管理邮箱,完成之后都默认y即可。
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): office@example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
Requesting a certificate for example.com
安装完成后,会有具体的信息反馈给你,包括SSL证书的保存位置等等。同时,在你的域名配置文件里,系统也会为自动修改好SSL的相关配置,直接使用即可。
Account registered.
Requesting a certificate for example.com
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/example.com/fullchain.pem
Key is saved at: /etc/letsencrypt/live/example.com/privkey.pem
This certificate expires on 2024-01-14.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.
Deploying certificate
Successfully deployed certificate for example.com to /etc/nginx/sites-available/example.com.conf
Congratulations! You have successfully enabled HTTPS on https://example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certbot自动续费
Let's Encrypt的证书有效期只有九十天。这是为了鼓励用户自动完成证书更新过程。我们安装的certbot 软件包为我们解决了这个问题,它添加了一个 systemd 定时器,每天运行两次,自动更新任何即将过期的证书。
你可以通过systemctl 查询定时器的状态。
sudo systemctl status certbot.timer
● certbot.timer - Run certbot twice daily
Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; preset: enabled)
Active: active (waiting) since Mon 2023-10-16 09:01:42 CST; 9min ago
Trigger: Mon 2023-10-16 18:19:54 CST; 9h left
Triggers: ● certbot.service
Oct 16 09:01:42 ser284628194584 systemd[1]: Started certbot.timer - Run certbot twice daily.
为了测试更新过程,你可以用certbot 做一次模拟运行。
sudo certbot renew --dry-run
如果你没有看到任何错误,你就一切就绪了。必要时,Certbot会更新你的证书,并重新加载Nginx以接收这些变化。如果自动更新过程失败,Let's Encrypt会向你指定的邮箱发送一条信息,警告你证书即将过期。
一些修改
SSL开启后,可以在站点配置文件中加入一下的代码,然http自动跳转https。
#HTTP_TO_HTTPS_START
if ($server_port !~ 443){
rewrite ^(/.*)$ https://$host$1 permanent;
}
到此,nginx安装完成并可以配置多站点,同时可以正常使用Let's Encrypt了。