细心的老读者可能发现,本站现在全面启用了https,为啥捏?因为好看!哇哈哈哈……

这里记录一下Centos6系统上的nginx配置方法。这里我使用 letsencrypt 提供的免费证书,首先访问https://certbot.eff.org/,然后根据你的实际情况选择webserver和操作系统,这里为了通用性,我选择“Unspecified Webserver on Other UNIX”。

首先下载脚本并添加执行权限:

1
2
wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

停止nginx或其他占用80端口的服务后执行:./certbot-auto certonly

会弹出一个文本方式的UI界面,这里为了方便我选择第二项:

1
Automatically use a temporary webserver (standalone)

然后根据提示一步步的填写邮箱、域名(多个之间使用逗号或者空格分割)后看见下面的提示就代表成功了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/xxx.com/fullchain.pem. Your cert will
expire on 2016-09-21\. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- If you lose your account credentials, you can recover through
e-mails sent to xxxx@xxx.com.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

紧接着编辑nginx的配置文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
server
{
listen 80 default;
server_name _;
rewrite ^(.*) https://dear-shen.com/ permanent;
}
server
{
listen 443 ssl;
server_name dear-shen.com www.dear-shen.com;

ssl_certificate /etc/letsencrypt/live/dear-shen.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dear-shen.com/privkey.pem;

#省略部分配置....
}

根据你的实际情况进行修改后,重启nginx服务即可。如果启用用了防火墙的话,注意开放443端口。

另外记住,这个证书只有90天的有效期,需要自己进行手动刷新。方法也很简单首先停止nginx等占用80端口的服务后执行:

1
./path/to/certbot-auto renew --dry-run

如果上述命令执行正常的话,也可以设定计划任务执行:

1
./path/to/certbot-auto renew --quiet --no-self-upgrade