當前訪客身份:游客 [ 登錄 | 加入程式開發 討論區 ]
當前訪客身份:未登入或非會員
重裝旅包 重裝旅包
關注(0)
手癢愛寫 給大家新資訊
.發送留言 .功能開發中

Linux

申請Let’s Encrypt憑證與啟用https (Nginx)

發表於(2020-03-09 12:15:50)  閱讀(129) | 評論(0 0人收藏此文章,
摘要 申請Let’s Encrypt憑證與啟用https (Nginx)

dnf install certbot

certbot certonly --webroot --webroot-path=/home3/eshop -d power.net.tw -d www.power.net.tw

1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
 

選2

 

openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
會產生在/etc/ssl/certs/dhparam.pem

 

保留http & https

server {
        listen  80;
        server_name  msql.power.net.tw;
        return 301 https://$server_name$request_uri;
}
server {

       listen 443 ssl http2;

定義2個server區塊

 

power_eshop.conf 加上

ssl_certificate /etc/letsencrypt/live/power.net.tw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/power.net.tw/privkey.pem;

 

***include sslconf.conf; ***


ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
 

定期更新

certbot renew --quiet --renew-hook "/bin/systemctl reload nginx"
 

範例 強制導向 https

server {
        listen  80;
        server_name  msql.power.net.tw;
        return 301 https://$server_name$request_uri;
}

server {
listen 443 ssl http2;

server_name  msql.power.net.tw;
access_log  logs/power_msql.log;

ssl_certificate /etc/letsencrypt/live/power.net.tw/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/power.net.tw/privkey.pem;

include sslconf.conf;

-----------------------------------

sslconf.conf 內容

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

 

刪除憑證

killall certbot

 

certbot revoke --cert-path /etc/letsencrypt/live/twrotary.com/fullchain.pem --key-path /etc/letsencrypt/live/twrotary.com/privkey.pem

重裝

certbot certonly --webroot --webroot-path=/home/ncolor/twrotary1 -d twrotary.com -d www.twrotary.com

 

 

 

聲明:本站文章版權屬於作者,受法律保護未經作者同意不得轉載。

評論0