0x20-HTTPS with Let's Encrypt

HTTPS指南

Let’s Encrypt 开始支持通配符证书，这里是我总结的一个操作指南，这里使用acme.sh进行配置。

1. 安装openresty

参照： http://openresty.org/en/linux-packages.html

2. 配置openresty为服务

参考：https://kleshwong.com/blog/2017/01/05/setup-lua-resty-auto-ssl-in-ubuntu/

sudo vim /etc/systemd/system/nginx.service

nginx.service

[Unit]
Description=The nginx HTTP and reverse proxy server
After=syslog.target network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/usr/local/openresty/nginx/logs/nginx.pid
ExecStartPre=/usr/local/openresty/nginx/sbin/nginx -t
ExecStart=/usr/local/openresty/nginx/sbin/nginx
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target

启用：

1 2	$ sudo systemctl enable nginx $ sudo systemctl start nginx

通过 systemctl status nginx 可以看到 nginx 是不是正常启动了。若是失败这里也会输出用的日志信息。

3. 安装acme.sh

curl https://get.acme.sh | sh

4. 配置域名AccessKey

参照：https://github.com/Neilpang/acme.sh/tree/master/dnsapi

5. 复制证书到对应位置

acme.sh --install-cert -d chuqufeng.cn \
--key-file       /usr/local/openresty/nginx/conf/ssl/chuqufeng.cn.key  \
--fullchain-file /usr/local/openresty/nginx/conf/ssl/cert.cer \
--reloadcmd     "sudo service nginx force-reload"

生成dhparam：

1	openssl dhparam -out /usr/local/openresty/nginx/conf/ssl/dhparam.pem 2048

配置Nginx上证书

server {
  ##开启 HTTPS 和 HTTP/2
  listen 443 ssl http2;

  ##证书部分
  #证书
  ssl_certificate /usr/local/openresty/nginx/conf/ssl/cert.cer;
  #密钥
  ssl_certificate_key /usr/local/openresty/nginx/conf/ssl/chuqufeng.cn.key;
  #ssl_dhparam
  ssl_dhparam /usr/local/openresty/nginx/conf/ssl/dhparam.pem;
  ##SSL增强安全设置部分
  add_header Strict-Transport-Security max-age=15768000; #HSTS设置
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
  #关键
  ssl_prefer_server_ciphers on;

}

6. 重启openresty

sudo service nginx restart

7. Result

现在https://www.ssllabs.com 评分为A+

参考文章：

https://www.textarea.com/zhicheng/fenxiang-yige-https-a-di-nginx-peizhi-320/

https://ruby-china.org/topics/31983