如何在Digital Ocean的ubuntu主機上透過certbot配置Let's Encrypt免費且自動續啟用的SSL安全憑證
在有一篇簡單介紹了port 443的 https
和基礎密碼學概念
而一個對外網站通常也對於安全認證算是一個門面
就跟豬肉攤有無拿到標示國產標章是類似概念
約2018之後
沒有HTTPS認證的網站預設會被Chrome瀏覽器標記為不安全
這更會影響流量和讓人多願意停留在此網頁上瀏覽的時間
Certbot 可在託管主機上執行的指令
sudo apt install python-certbot-nginx (舊指令)
sudo apt install python3-certbot-nginx (新版本要用這只令)
最後
sudo certbot --nginx -d {domain name} -d www.{domain name}
透過指令會自動幫我們
修改nginx default file的port設定指向443
路徑:/etc/nginx/sites-enabled 將預設80改為443
當指令一下會有如下output
這裡要小心注意會有兩個問題回應
其中當問到有用戶想要透過 HTTP 80來進入網站時要做的事情
要輸入2
給他重新導向443 HTTPS前綴的網站路徑
此時將網頁重新刷新就會發現本來顯示不安全的
突然變為有憑證的鎖頭外觀
通常是3個月就到期
這裡用
sudo certbot renew --dry-run
測試印出是否會在到期時重新啟用另一個憑證
移除參數 --dry-run 就會正常執行,會覆蓋舊憑證。
完整經過certbot幫我們弄好的 nginx default file配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | ## # You should look at the following URL's in order to grasp a solid understanding # of Nginx configuration files in order to fully unleash the power of Nginx. # https://www.nginx.com/resources/wiki/start/ # https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/ # https://wiki.debian.org/Nginx/DirectoryStructure # # In most cases, administrators will remove this file from sites-enabled/ and # leave it as reference inside of sites-available where it will continue to be # updated by the nginx packaging team. # # This file will automatically load configuration files provided by other # applications, such as Drupal or Wordpress. These applications will be made # available underneath a path with that package name, such as /drupal8. # # Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples. ## # Default server configuration server { # SSL configuration # # listen 443 ssl default_server; # listen [::]:443 ssl default_server; # # Note: You should disable gzip for SSL traffic. # See: https://bugs.debian.org/773332 # # Read up on ssl_ciphers to ensure a secure configuration. # See: https://bugs.debian.org/765782 # # Self signed certs generated by the ssl-cert package # Don't use them in a production server! # # include snippets/snakeoil.conf; root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.nginx-debian.html; server_name www.costudio.xyz costudio.xyz; # managed by Certbot location ^~ /assets/ { gzip_static on; expires 12h; add_header Cache-Control public; } location / { proxy_http_version 1.1; proxy_cache_bypass $http_upgrade; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://localhost:3222; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/costudio.xyz/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/costudio.xyz/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.costudio.xyz) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = costudio.xyz) { return 301 https://$host$request_uri; } # managed by Certbot listen 80 ; listen [::]:80 ; server_name www.costudio.xyz costudio.xyz; return 404; # managed by Certbot } |
Ref:
“certbot” team
Fix “Cannot Add PPA” Error in Ubuntu & Linux Mint
Unable to Add ppa in my newly installed ubuntu 16.04 LTS
Cannot add PPA: 'ppa:'. Please check that the PPA name or format is correct
Ubuntu无法找到add-apt-repository问题的解决方法
留言
張貼留言