-
-
Save Akagi201/34dacbd8ddbb72f13fda8dd87643613e to your computer and use it in GitHub Desktop.
CentOS 7 Nginx(OpenResty) Let’ s Encrypt SSL 证书安装配置
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # install certbot | |
| yum install certbot | |
| # create cert folder | |
| mkdir -p /usr/local/openresty/nginx/html/.well-known/acme-challenge | |
| # configure nginx | |
| ```nginx | |
| location ^~ /.well-known/acme-challenge/ { | |
| default_type "text/plain"; | |
| root html; | |
| } | |
| location ^~ /.well-known { | |
| access_log off; | |
| log_not_found off; | |
| autoindex off; | |
| root html; | |
| allow all; | |
| } | |
| ``` | |
| # reload nginx | |
| nginx -t && service nginx reload | |
| # generate ssl cert | |
| certbot certonly --email xxxxx@gmail.com --agree-tos --webroot \ | |
| -w /usr/local/openresty/nginx/html \ | |
| -d topconfs.com \ | |
| -d www.topconfs.com \ | |
| -d cdn.topconfs.com \ | |
| -d techconf.live \ | |
| -d www.techconf.live \ | |
| -d skillcipe.com \ | |
| -d www.skillcipe.com \ | |
| -d feed.rocks \ | |
| -d blog.feed.rocks | |
| # automatically renew | |
| certbot renew --dry-run # test if works | |
| certbot renew | |
| # add `certbot renew --quiet` to crontab | |
| # this will renew cert on 28th every month | |
| echo "0 2 28 * * certbot renew --quiet && service nginx reload >/dev/null 2>&1" >> /etc/crontab | |
| crontab /etc/crontab # load crontab | |
| crontab -l # list tasks | |
| # generate dhparam (recommended but not necessary) | |
| openssl dhparam -out /usr/local/openresty/nginx/ssl/dhparam.pem 2048 | |
| # configure nginx with ssl and http2 | |
| ``` | |
| worker_processes auto; | |
| pid logs/nginx.pid; | |
| events { | |
| # for Linux 2.6+ use epoll, FreeBSD/mac use kqueue | |
| use epoll; | |
| worker_connections 1024; | |
| } | |
| http { | |
| include mime.types; | |
| default_type application/octet-stream; | |
| # log | |
| log_format main '$remote_addr - $remote_user [$time_local] "$request" ' | |
| '$status $body_bytes_sent "$http_referer" ' | |
| '"$http_user_agent" "$http_x_forwarded_for"'; | |
| access_log off; | |
| error_log logs/error.log notice; | |
| # keep alive | |
| keepalive_timeout 65; | |
| keepalive_requests 100000; | |
| sendfile on; | |
| tcp_nopush on; | |
| tcp_nodelay on; | |
| # hide server tag | |
| server_tokens off; | |
| proxy_hide_header X-Powered-By; | |
| # buffer size | |
| client_body_buffer_size 128k; | |
| client_max_body_size 10m; | |
| client_header_buffer_size 1k; | |
| large_client_header_buffers 4 4k; | |
| output_buffers 1 32k; | |
| postpone_output 1460; | |
| # timeouts | |
| client_header_timeout 3m; | |
| client_body_timeout 3m; | |
| send_timeout 3m; | |
| # gzip | |
| gzip on; | |
| gzip_comp_level 2; | |
| gzip_proxied any; | |
| gzip_min_length 1100; | |
| gzip_buffers 16 8k; | |
| gzip_types application/x-javascript text/css application/javascript text/javascript text/plain text/xml application/json application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype application/x-font-ttf application/xml font/eot font/opentype font/otf image/svg+xml image/vnd.microsoft.icon; | |
| # server { | |
| # listen 80; | |
| # return 301 https://$host$request_uri; | |
| # } | |
| server { | |
| server_name localhost; | |
| listen 80; | |
| # enable ssl | |
| listen 443 ssl http2; | |
| listen [::]:443 ssl http2; | |
| ssl_certificate /etc/letsencrypt/live/topconfs.com/fullchain.pem; | |
| ssl_certificate_key /etc/letsencrypt/live/topconfs.com/privkey.pem; | |
| # dhparam (recommended but not necessary) | |
| ssl_dhparam /usr/local/openresty/nginx/ssl/dhparam.pem; | |
| # ocsp stapling | |
| ssl_stapling on; | |
| ssl_trusted_certificate /etc/letsencrypt/live/topconfs.com/chain.pem; | |
| # ssl_protocols and ssl_ciphers | |
| ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; | |
| ssl_prefer_server_ciphers on; | |
| # session resumption | |
| ssl_session_cache shared:SSL:64m; | |
| ssl_session_timeout 1d; | |
| # HSTS | |
| add_header Strict-Transport-Security "max-age=31536000"; | |
| add_header X-Frame-Options deny; | |
| add_header X-XSS-Protection "1"; | |
| # error_page | |
| error_page 404 /404.html; | |
| error_page 500 502 503 504 /50x.html; | |
| # locations | |
| location ~* .(woff|eot|ttf|svg|mp4|webm|jpg|jpeg|png|gif|ico|css|js)$ { | |
| error_log off; | |
| expires 365d; | |
| } | |
| location / { | |
| root html; | |
| index index.html index.htm; | |
| } | |
| location ^~ /.well-known { | |
| access_log off; | |
| error_log off; | |
| log_not_found off; | |
| root html; | |
| allow all; | |
| } | |
| location ~ /\. { | |
| return 403; | |
| } | |
| location = /50x.html { | |
| root html; | |
| } | |
| } | |
| server { | |
| server_name koa.topconfs.com; | |
| location / { | |
| root html; | |
| index index.html index.htm; | |
| proxy_set_header X-Real-IP $remote_addr; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_set_header Host $http_host; | |
| proxy_pass http://127.0.0.1:5001/; | |
| } | |
| } | |
| } | |
| ``` | |
| # reload nginx | |
| nginx -t && service nginx reload | |
| # test ssl rank | |
| open https://www.ssllabs.com/ssltest/index.html | |
| # test gzip compression | |
| open http://www.whatsmyip.org/http-compression-test/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment