目录

SSL 时代,静态博客用上免费的证书玩玩。

环境软件初始化

rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm
yum install -y certbot

初始化证书

certbot certonly --webroot -w /webroot/www_example_com -d www.example.com -w /webroot/www_example_com -d example.com -m contact@example.com

-m 参数可不保留

配置 Nginx

server
{
    listen 80;
    server_name www.example.com example.com;
    index index.html index.htm;
    root /webroot/www_example_com;

    access_log /var/log/nginx/www_example_com.access.log main;
    error_log /var/log/nginx/www_example_com.error.log warn;

    #limit_conn crawler 20;

    if ($host ~* "^example\.com") {
        rewrite ^(.*)$ http://www.example.com$1 permanent;
    }

    location ~ /\.well-known/? {
        add_header Content-Type 'text/plain;';
        allow all;
        return 200;
    }

    location /
    {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }
}

server
{
    listen 443;
    server_name www.example.com example.com;
    index index.html index.htm;
    root /webroot/www_example_com;

    ssl  on;
    ssl_certificate      /etc/letsencrypt/live/www.example.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/www.example.com/privkey.pem;
    ssl_session_timeout  5m;
    ssl_protocols        TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers          AESGCM:ALL:!DH:!EXPORT:!RC4:+HIGH:!MEDIUM:!LOW:!aNULL:!eNULL;
    ssl_prefer_server_ciphers on;

    access_log /var/log/nginx/www_example_com.access.log main;
    error_log /var/log/nginx/www_example_com.error.log warn;

    if ($host ~* "^example\.com") {
        rewrite ^(.*)$ https://www.example.com$1 permanent;
    }

    location ~ /\.well-known/? {
        return 403;
    }

    location ~ .*\.(php|php5)$
    {
        return 403;
    }

    location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
    {
        expires 30d;
    }

    location ~ .*\.(js|css)?$
    {
        expires 1h;
    }
}

完成之后,测试并重启 Nginx。

参考

  1. Let’s Encrypt
  2. Certbot