加入收藏 | 设为首页 | 会员中心 | 我要投稿 安卓应用网 (https://www.0791zz.com/)- 科技、建站、经验、云计算、5G、大数据,站长网!
当前位置: 首页 > 综合聚焦 > 服务器 > CentOS > 正文

在centos nginx 环境下 搭建 letsencrypt

发布时间:2020-05-22 11:36:44 所属栏目:CentOS 来源:互联网
导读:wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto mv certbot-auto /usr/bin/ 防火墙开启443端口 nginx反向代理的每一个server下,加 location ^~ /.well-known/acme-challenge/ { default_type text/plain; ro

  • wget https://dl.eff.org/certbot-auto

  • chmod a+x certbot-auto

  • mv certbot-auto /usr/bin/

  • 防火墙开启443端口

  • nginx反向代理的每一个server下,加

location ^~ /.well-known/acme-challenge/ {
    default_type "text/plain";
    root     /usr/share/nginx/html;
}

location = /.well-known/acme-challenge/ {
    return 404;
}
  • webroot 方式安装证书
certbot-auto certonly --webroot -w /usr/share/nginx/html/ -d your-domain.com www.your-domain.com api.your-domain.com
  • 生成 迪菲-赫尔曼密钥 以增强安全
openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048
  • nginx反向代理的每一个server下,配置ssl
listen       443 ssl;
        server_name your-domain.com www.your-domain.com;

        ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_dhparam /etc/ssl/certs/dhparam.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:50m;
        add_header Strict-Transport-Security max-age=15768000;
  • 80 端口重定向到https
server {
        listen 80;
        server_name api.your-domain.com  your-domain.com www.your-domain.com;
        return 301 https://$host$request_uri;
    }

(编辑:安卓应用网)

【声明】本站内容均来自网络,其相关言论仅代表作者个人观点,不代表本站立场。若无意侵犯到您的权利,请及时与联系站长删除相关内容!
    相关内容
      推荐文章
        站长推荐
        热点阅读

          【免责声明】本站内容转载自互联网,其发布内容言论不代表本站观点,如果其链接、内容的侵犯您的权益,烦请提交相关链接至邮箱bqsm@foxmail.com我们将及时予以处理。

          建议您使用1920×1080分辨率、谷歌浏览器Google Chrome、Microsoft Edge以获得本站的最佳浏览效果

          Copygight © 2008-2022 https://www.0791zz.com/ All Rights Reserved. 安卓应用网