Nginx with Let's Encrypt on Ubuntu + Reverse proxy
sudo su
Гарчиг
Certbot суулгах
add-apt-repository ppa:certbot/certbot apt install python-certbot-nginx
Nginx-ийн тохиргоогоо шалгах
Nginx тохиргооны файлд server_name зѳв бичигдсэн байх ёстой. /etc/nginx/sites-available/example.com
server_name example.com www.example.com;
Nginx тохиргоо алдаатай эсэхийг шалгах:
nginx -t
Тохиргоо идэвхжүүлэх: systemctl reload nginx
Firewall дээр портоо нээх
Гаднаас хандах портоо нээсэн байх хэрэгтэй. DNS тохиргоо мѳн зѳв байхгүй бол болохгүй. Let's Encrypt SSL үүсгэх үед автоматаар шалгахад холбогдох ёстой.
SSL Certificate үүсгэх
certbot --nginx -d example.com -d www.example.com
This runs certbot with the --nginx plugin, using -d to specify the names we'd like the certificate to be valid for.
If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let's Encrypt server, then run a challenge to verify that you control the domain you're requesting a certificate for.
If that's successful, certbot will ask how you'd like to configure your HTTPS settings.
Output
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. ------------------------------------------------------------------------------- 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:
Output
IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem Your cert will expire on 2018-07-23. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser's security indicator. It should indicate that the site is properly secured, usually with a green lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.
Let's finish by testing the renewal process.
Certbot автомат шинэчлэлтийг шалгах
Let's Encrypt's certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a renew script to /etc/cron.d. This script runs twice a day and will automatically renew any certificate that's within thirty days of expiration.
To test the renewal process, you can do a dry run with certbot:
certbot renew --dry-run
If you see no errors, you're all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.
Жишээ Nginx тохиргооны файл
server {
server_name server8.dusal.net www.server8.dusal.net;
listen 443 ssl;
location / {
proxy_pass http://192.168.100.6:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
ssl_certificate /etc/letsencrypt/live/server8.dusal.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/server8.dusal.net/privkey.pem; # managed by Certbot
}
Өөр жишээ:
sudo nano /etc/nginx/sites-enabled/git.example.com
server {
listen 80;
server_name git.example.com;
include snippets/letsencrypt.conf;
return 301 https://git.example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name git.example.com;
proxy_read_timeout 720s;
proxy_connect_timeout 720s;
proxy_send_timeout 720s;
client_max_body_size 50m;
# Proxy headers
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Real-IP $remote_addr;
# SSL parameters
ssl_certificate /etc/letsencrypt/live/git.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/git.example.com/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/git.example.com/chain.pem;
include snippets/letsencrypt.conf;
include snippets/ssl.conf;
# log files
access_log /var/log/nginx/git.example.com.access.log;
error_log /var/log/nginx/git.example.com.error.log;
# Handle / requests
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:3000;
}
}
