如何在Digital Ocean的ubuntu主機上透過certbot配置Let's Encrypt免費且自動續啟用的SSL安全憑證
在有一篇簡單介紹了port 443的 https
和基礎密碼學概念
而一個對外網站通常也對於安全認證算是一個門面
就跟豬肉攤有無拿到標示國產標章是類似概念
約2018之後
沒有HTTPS認證的網站預設會被Chrome瀏覽器標記為不安全
這更會影響流量和讓人多願意停留在此網頁上瀏覽的時間
Certbot 可在託管主機上執行的指令
sudo add-apt-repository ppa:certbot/certbot
sudo apt install python-certbot-nginx (舊指令)
sudo apt install python3-certbot-nginx (新版本要用這只令)
最後
sudo certbot --nginx -d {domain name} -d www.{domain name}
透過指令會自動幫我們
修改nginx default file的port設定指向443
路徑:/etc/nginx/sites-enabled 將預設80改為443
當指令一下會有如下output
這裡要小心注意會有兩個問題回應
其中當問到有用戶想要透過 HTTP 80來進入網站時要做的事情
要輸入2
給他重新導向443 HTTPS前綴的網站路徑
此時將網頁重新刷新就會發現本來顯示不安全的
突然變為有憑證的鎖頭外觀
通常是3個月就到期
這裡用
sudo certbot renew --dry-run
測試印出是否會在到期時重新啟用另一個憑證
移除參數 --dry-run 就會正常執行,會覆蓋舊憑證。
完整經過certbot幫我們弄好的 nginx default file配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 | ##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# https://www.nginx.com/resources/wiki/start/
# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
# https://wiki.debian.org/Nginx/DirectoryStructure
#
# In most cases, administrators will remove this file from sites-enabled/ and
# leave it as reference inside of sites-available where it will continue to be
# updated by the nginx packaging team.
#
# This file will automatically load configuration files provided by other
# applications, such as Drupal or Wordpress. These applications will be made
# available underneath a path with that package name, such as /drupal8.
#
# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
##
# Default server configuration
server {
# SSL configuration
#
# listen 443 ssl default_server;
# listen [::]:443 ssl default_server;
#
# Note: You should disable gzip for SSL traffic.
# See: https://bugs.debian.org/773332
#
# Read up on ssl_ciphers to ensure a secure configuration.
# See: https://bugs.debian.org/765782
#
# Self signed certs generated by the ssl-cert package
# Don't use them in a production server!
#
# include snippets/snakeoil.conf;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name www.costudio.xyz costudio.xyz; # managed by Certbot
location ^~ /assets/ {
gzip_static on;
expires 12h;
add_header Cache-Control public;
}
location / {
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://localhost:3222;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/costudio.xyz/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/costudio.xyz/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = www.costudio.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
if ($host = costudio.xyz) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80 ;
listen [::]:80 ;
server_name www.costudio.xyz costudio.xyz;
return 404; # managed by Certbot
}
|
Ref:
“certbot” team
Fix “Cannot Add PPA” Error in Ubuntu & Linux Mint
Unable to Add ppa in my newly installed ubuntu 16.04 LTS
Cannot add PPA: 'ppa:'. Please check that the PPA name or format is correct
Ubuntu无法找到add-apt-repository问题的解决方法
留言
張貼留言