• Nginx 学习笔记(一)如何配置一个安全的HTTPS网站服务器


    一、系统环境

    1、系统:Ubuntu 16.04.2 LTS

    2、WEB服务器:Openresty11.2.5

    二、开始配置

    1、获取certbot客户端

    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto

    2、停止Nginx服务

    sudo systemctl stop nginx.service

    3、生成证书

    ./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你的域名地址`

    当前网站有多个域名时需在后面增加,例如:

    ./certbot-auto certonly --standalone --email `你的邮箱地址` -d `你的域名1` -d `你的域名2`

    sudo ./certbot-auto  certonly --standalone --email "yourEmail@qq.com" -d "www.tinywan.com" 
    -d "live.tinywan.com" -d "vod.tinywan.com" -d "livecdn.tinywan.com"
    -d "nginx-vod.tinywan.com" -d "hls-auth.tinywan.com" -d "hls.tinywan.com" -d "auth.tinywan.com"

    可能会出现错误1OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

    通过搜索,找到了certbot的issue #issuecomment-273014451 ,原因是说,系统安装了多个版本的python,那么怎么删除呢?

    解决办法:

    apt-get purge python-virtualenv python3-virtualenv virtualenv
    pip install virtualenv

    可能会出现错误2:

    Cleaning up challenges
    Problem binding to port 443: Could not bind to IPv4 or IPv6.

    解决:说明你的Nginx服务还在运行啊!赶紧的kill掉啊

    成功生成证书的输出结果:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for www.tinywan.com
    tls-sni-01 challenge for live.tinywan.com
    tls-sni-01 challenge for vod.tinywan.com
    tls-sni-01 challenge for livecdn.tinywan.com
    tls-sni-01 challenge for nginx-vod.tinywan.com
    tls-sni-01 challenge for hls-auth.tinywan.com
    tls-sni-01 challenge for hls.tinywan.com
    tls-sni-01 challenge for auth.tinywan.com
    Waiting for verification...
    Cleaning up challenges
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/www.tinywan.com-0001/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/www.tinywan.com-0001/privkey.pem
       Your cert will expire on 2018-02-22. To obtain a new or tweaked
       version of this certificate in the future, simply run certbot-auto
       again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
    
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

    4、查看生产的证书

    tree /etc/letsencrypt/live/
    www@TinywanAliYun:~$ sudo tree /etc/letsencrypt/live/
    /etc/letsencrypt/live/
    └── www.tinywan.top
        ├── cert.pem -> ../../archive/www.tinywan.top/cert1.pem
        ├── chain.pem -> ../../archive/www.tinywan.top/chain1.pem
        ├── fullchain.pem -> ../../archive/www.tinywan.top/fullchain1.pem
        ├── privkey.pem -> ../../archive/www.tinywan.top/privkey1.pem
        └── README
    
    1 directory, 5 files

    5、编辑Nginx配置文件和开启SSL服务

    sudo vim /usr/local/openresty/nginx/conf/nginx.conf

    配置虚拟主机

    ...
      # 配置HTTP请求重定向 server { listen
    80; server_name www.tinywan.top; rewrite ^ https://$http_host$request_uri? permanent; # force redirect http to https }
    # 配置SSL证书 server { listen
    443 ssl;
         server_name www.tinywan.top;
            ssl_certificate /etc/letsencrypt/live/www.tinywan.top/fullchain.pem; 
    ssl_certificate_key
    /etc/letsencrypt/live/www.tinywan.top//privkey.pem;
         #禁止在header中出现服务器版本,防止黑客利用版本漏洞攻击    
         server_tokens off;
    set $root_path /home/www/web/golang; root $root_path; location / { if (!-e $request_filename) { rewrite ^(.*)$ /index.php?s=/$1 last; break; } } } ...

    6、重启Nginx服务

    sudo systemctl restart nginx.service

     7、Let’s Encrypt 生成的免费证书为3个月时间,使用Crontab可以无限次续签证书

    # 每星期1的2点30分执行更新操作
     30 2 * * 1 /home/www/bin/certbot-auto renew  >>/home/www/bin/logs/encrypt_auto_update.log  2>&1

     遇到的坑,查边所有的地方都不能够解决,最后是内存不够用的问题?

    OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2
    
    File "/usr/local/lib/python2.7/dist-packages/virtualenv.py", line 945, in create_environment

    如何解决:

    user@webserver:~$ sudo fallocate -l 1G /tmp/swapfile
    user@webserver:~$ sudo chmod 600 /tmp/swapfile
    user@webserver:~$ sudo mkswap /tmp/swapfile
    user@webserver:~$ sudo swapon /tmp/swapfile

     最后记得释放掉分配的交换分区

    user@webserver:~$ sudo swapoff /tmp/swapfile
    user@webserver:~$ sudo rm /tmp/swapfile

     Ubuntu 16.04更新遇到的错误:

    Reading package lists... Done                     
    Reading package lists... Done
    Building dependency tree       
    Reading state information... Done
    augeas-lenses is already the newest version (1.4.0-0ubuntu1).
    ca-certificates is already the newest version (20160104ubuntu1).
    gcc is already the newest version (4:5.3.1-1ubuntu1).
    libaugeas0 is already the newest version (1.4.0-0ubuntu1).
    libffi-dev is already the newest version (3.2.1-4).
    python is already the newest version (2.7.11-1).
    python-dev is already the newest version (2.7.11-1).
    libssl-dev is already the newest version (1.0.2g-1ubuntu4.5).
    openssl is already the newest version (1.0.2g-1ubuntu4.5).
    python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
    virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
    0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
    Creating virtual environment...
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
        main()
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
        symlink=options.symlink)
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
        download=download,
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
        call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
      File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
        % (cmd_desc, proc.returncode))
    OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

    解决办法:sudo apt install letsencrypt

    国外教程:https://www.vultr.com/docs/setup-let-s-encrypt-with-lighttpd-on-ubuntu-16-04

  • 相关阅读:
    封装LuaEngine
    Lua for循环
    lua 排序
    Lua中的数学库
    linux 常用指令
    lua table 遍历
    Charles——charles代理菜单proxy总结——端口转发
    Charles——charles代理菜单proxy总结—— 开始/暂停模拟慢网速—— stop/start throttling 和 throttling settings
    Charles——charles代理菜单proxy总结——代理设置proxy setting
    Charles——charles代理菜单proxy总结——SSL代理设置SSL Proxying Srtting
  • 原文地址:https://www.cnblogs.com/tinywan/p/7542629.html
Copyright © 2020-2023  润新知