( mac os 10.10.1 ) letsencrypt +nginx 給自己的網站加把鎖
Let’s Encrypt
Let's Encrypt是一個免費SSL證書發行專案,Let's Encrypt是由ISRG提供的免費免費公益專案,自動化發行證書,但是證書只有90天的有效期。
2015年10月份,微博上偶然看到Let's Encrypt 推出了beta版,作為一個曾經被https虐出血的碼農來說,這無疑是一個重磅訊息。並且在全站Https的大趨勢下,Let's Encrypt 脫穎而出,無疑會對傳統SSL證書提供商造成不小的打擊,並將Https的應用和推廣上升到一個空前火熱的階段。
對 xxx.example.com 域名加鎖,使 https://xxx.example.com 可以訪問
(步驟寫的不細)
1、確保域名所指向的ip所在伺服器443埠開放且可訪問
(路由器配置埠443指向伺服器埠443)
2、下載letsencrypt專案
git clone https://github.com/letsencrypt/letsencrypt
3、關掉所有佔用80埠的程序(其中包括nginx)
4、cd letsencrypt
5、執行Standalone外掛(sudo)
./letsencrypt-auto certonly --standalone
(會提示輸入域名:xxx.example.com)
證書生成成功資訊:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.example.com/fullchain.pem. Your cert
will expire on 2016-06-16. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
6、配置nginx(上面已經把證書生成,路徑:/etc/letsencrypt/live/xxx.example.com/)
# nginx配置如下
# 443埠,https
server {
listen 443 ssl;
server_name xxx.example.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.1.206:3005;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
}
}
# 80埠,http重定向到https
server {
listen 80;
server_name xxx.example.com;
rewrite ^ https://$server_name$request_uri? permanent;
error_page 497 https://$host$uri?$args;
}
個人微信:mbeslow