./letsencrypt-auto certonly -a webroot --webroot-path=/var/www/webrtc -d webrtcdemo.tk -d www.webrtcdemo.tk
create file /etc/nginx/snippets/ssl.conf
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
create file /etc/nginx/conf.d/webrtc.conf
server {
listen 80;
server_name webrtcdemo.tk www.webrtcdemo.tk;
rewrite ^(.*) https://webrtcdemo.tk$1 permanent;
}
server {
listen 443 ssl http2;
server_name www.webrtcdemo.tk;
ssl_certificate /etc/letsencrypt/live/webrtcdemo.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/webrtcdemo.tk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/webrtcdemo.tk/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
rewrite ^(.*) https://webrtcdemo.tk$1 permanent;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name webrtcdemo.tk;
ssl_certificate /etc/letsencrypt/live/webrtcdemo.tk/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/webrtcdemo.tk/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/webrtcdemo.tk/fullchain.pem;
include /etc/nginx/snippets/ssl.conf;
root /var/www/webrtc;
index index.html index.htm;
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ /index.html;
# Uncomment to enable naxsi on this location
# include /etc/nginx/naxsi.rules
}
}
create crontab for auto renew ssl
30 2 * * * /opt/letsencrypt/letsencrypt-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start" >> /var/log/le-renew.log