给网站加上SSL的简单配置
配置了这个站点后,想起来应该给加个SSL的证书,于是便开始搜寻,起先是申请了StartSSL(已更换,因为有些浏览器会提示该证书不可信,不建议使用)的,申请下来给外链图片做备用的,主站呢,用了Let’s Encrypt(已更换)家的证书,申请简便,操作方便。

1、基础配置及申请证书

服务器环境

操作系统:CentOS 5.4 32bit
WEB环境:LNMP

安装基础环境

接下来就跟着命令一步步做就可以了:

yum install epel-release
cd /root/
wget https://dl.eff.org/certbot-auto --no-check-certificate
chmod +x ./certbot-auto
./certbot-auto -n

接下来等待自动安装依赖包。

接下来,

生成证书

1、单域名证书

./certbot-auto certonly --email youemail@gmail.com --agree-tos --webroot -w /home/wwwroot/www.ght.me -d www.ght.me

2、多域名在同一目录下

./certbot-auto certonly --email youemail@gmail.com --agree-tos --webroot -w /home/wwwroot/www.ght.me -d www.ght.me -d ght.me

如果看到如下信息,那就说明你申请成功了:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.ght.me/fullchain.pem. Your cert will
   expire on 2017-01-05. To obtain a new or tweaked version of this
   certificate in the future, simply run certbot-auto again. To
   non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you lose your account credentials, you can recover through
   e-mails sent to youemail@gmail.com.
 - Your account credentials have been saved in your Certbot
   configuration directory at /etc/letsencrypt. You should make a
   secure backup of this folder now. This configuration directory will
   also contain certificates and private keys obtained by Certbot so
   making regular backups of this folder is ideal.
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

证书会放在如下目录(根据你输入的域名):

/etc/letsencrypt/live/www.ght.me/

2、配置网站SSL

编辑你的虚拟主机配置文件:

vi /usr/local/nginx/conf/vhost/www.ght.me.conf

server{}标签内的以下内容做替换和增加:
修改

listen 80;

为:

listen 443 ssl;

然后在 root /home/xxx网站目录下面增加:

ssl_certificate /etc/letsencrypt/live/www.ght.me/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.ght.me/privkey.pem;
ssl_ciphers "EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

保存,然后执行:

/etc/init.d/nginx reload

接下来下一步返回到nginx的配置目录,即:

cd /usr/local/nginx/conf
vi nginx.conf

打开后注释掉原来的 #root /home/wwwroot/default;,并将默认的server_name 修改为你的域名;

在其下方添加:

                location /.well-known/ {
                        add_header Content-Type 'text/plain;';
                        root /home/wwwroot/www.ght.me;
                }
                        location / {
                        return 301 http://www.ght.me$request_uri;
                }

保存,然后执行:

/etc/init.d/nginx reload

上面添加完注意修改域名为你的。

自此试试你的网站是否可以通过SSl访问了,这时候,如果你没有把图片什么的托管到第三方平台,那就可以看到熟悉的绿色小锁了。如果托管了,还需要修改相应的链接也为SSL,不然会是黄色的感叹号。

备注

当然,如果你觉得上面的获取证书麻烦的话,可以点击链接,进入这个很简单的网站,可以帮助你获取:

传送门:更简单的获取SSl证书

按照图示输入域名一键获取:
给网站加上SSL的简单配置

有关证书有效期和续期的问题

Let’s Encrypt的证书只有三个月有效期,需要定期续期,那么你可以在服务器添加以下定期任务(每个月自动续期一次,当然可以更久,每两个月或者三个月,不要太频繁):

 0 0 1 * * /root/certbot-auto renew

启用后,还需要替换原有文章中的链接为SSL的,可使用以下sql语句:

UPDATE gz_posts SET post_content = replace(post_content,'http://img.ght.me/','https://img.ght.me/');

将上述的域名换成你自己的!