为你的博客添加Https支持

2020-01-03 16:06:55 浏览数 (2)

目前大多个人博客都基本使用的是免费的https证书,而免费的https证书使用的比较多的就是letEncrypt了,它受到了较多大厂的支持,例如Moz,Google等。

Let’s Encrypt安装(ubuntu)

代码语言:javascript复制
 sudo apt-get install certbot

用let’s Encrypt生成证书

certbot 用法

代码语言:javascript复制
certbot [子命令] [选项] [-d 域名] [-d 域名] ...
e.g. certbot certonly --standalone -d pinkcle.com -d www.pinkcle.com

-d 指定要生成的域名 –standalone 指定独立于server生成

具体参数请参阅:https://certbot.eff.org/docs/using.html#certbot-command-line-options

注意!!!:生成证书的域名必须能dns才行,否则会生成失败

生成完成后 在/etc/letsencrypt/live 目录下生成对应域名的key信息:

/etc/letsencrypt/live/pinkcle.com/fullchain.pem /etc/letsencrypt/live/pinkcle.com/privkey.pem

如果有api server或者二级域名,直接替换生成

certbot certonly --standalone -d api.pinkcle.com /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem /etc/letsencrypt/live/api.pinkcle.com/privkey.com

然后将key配置到nginx就好了

下面列出blog的nginx配置

代码语言:javascript复制
server{
    listen 80;
    server_name pinkcle.com www.pinkcle.com;
    root /usr/blog;
    
    #to https
    rewrite ^(.*)$ https//$host$1 permanent;
    
    location / {
        sendfile on;
        try_files $uri $uri/ =404;
    }
}

#站点静态文件nginx
server {
        listen 443 ssl;

        ssl_certificate /etc/letsencrypt/live/pinkcle.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/pinkcle.com/privkey.pem;

        root /usr/blog;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.nginx-debian.html;

        server_name pinkcle.com www.pinkcle.com;

        location / {
                sendfile on;
                # First attempt to serve request as file, then
                # as directory, then fall back to displaying a 404.
                try_files $uri $uri/ =404;
        }
        location ^~ /blogdata/ {
                root /;
                sendfile on;
                try_files $uri $uri/ =404;
        }
}

#站点api server
server {
        listen 443;
        ssl on;

        ssl_certificate /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/api.pinkcle.com/privkey.pem;

        server_name api.pinkcle.com;

        location / {
                 # avoid cors problem
                if ( $http_origin ~* (^http(s)?://.*(www.)?pinkcle.com$) ){
                        add_header 'Access-Control-Allow-Origin' '$http_origin';
                        add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';
                        add_header 'Access-Control-Allow-Headers' 'Origin,Authorization,Accept';
                                        add_header 'Access-Control-Allow-Credentials' 'true';
                }
                proxy_set_header X-Real_IP $remote_addr;
                proxy_set_header Host $http_host;
                proxy_pass http://127.0.0.1:10001/api/;
        }
}

然后重启一下nginx

sudo service nginx restart

浏览器中访问一下 http://pinck.com 和 https://pinkcle.com 发现网站已经有安全标识了

0 人点赞