Letsencrypt Nginx SSL 证书配置
SSL 时代,静态博客用上免费的证书玩玩。
环境软件初始化
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y certbot
初始化证书
certbot certonly --webroot -w /webroot/www_example_com -d www.example.com -w /webroot/www_example_com -d example.com -m contact@example.com
-m 参数可不保留
配置 Nginx
server
{
listen 80;
server_name www.example.com example.com;
index index.html index.htm;
root /webroot/www_example_com;
access_log /var/log/nginx/www_example_com.access.log main;
error_log /var/log/nginx/www_example_com.error.log warn;
#limit_conn crawler 20;
if ($host ~* "^example\.com") {
rewrite ^(.*)$ http://www.example.com$1 permanent;
}
location ~ /\.well-known/? {
add_header Content-Type 'text/plain;';
allow all;
return 200;
}
location /
{
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
}
server
{
listen 443;
server_name www.example.com example.com;
index index.html index.htm;
root /webroot/www_example_com;
ssl on;
ssl_certificate /etc/letsencrypt/live/www.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.example.com/privkey.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/www_example_com.access.log main;
error_log /var/log/nginx/www_example_com.error.log warn;
if ($host ~* "^example\.com") {
rewrite ^(.*)$ https://www.example.com$1 permanent;
}
location ~ /\.well-known/? {
return 403;
}
location ~ .*\.(php|php5)$
{
return 403;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
}
location ~ .*\.(js|css)?$
{
expires 1h;
}
}
完成之后,测试并重启 Nginx。