Nginx 笔记

nginx 部署的一些笔记,仅仅能够用起来的程度。

简单上手

nginx.conf 首行换成自己的用户名。

以下是一个简单的网站配置:

1
2
3
4
5
6
7
server {
listen 80;
server_name shop.bolitao.xyz;
location / {
proxy_pass http://127.0.0.1:8282;
}
}

重新加载 nginx 后即可使用 ip 访问 web app。

SSL

直接用 Let's Encrypt 来获取证书,因为超级简单而且方便。

Certbot ACME 选择自己的 web 服务器和系统版本,选择后会给出使用 Certbot 的条件:

主要看中间,需要有一个能够使用 80 端口访问的 website。

以我的配置 (nginx, Ubuntu 18.04) 为例安装 Certbot:

1
2
3
4
5
6
sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx

运行 certbot,让其自动获取并安装证书:

1
sudo certbot --nginx

输入邮箱以接收证书的更新和安全相关信息:

1
2
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): xxxxx@xxx.xxx

需要同意其协议,阅读后输入 A 并回车即可:

1
2
3
4
5
6
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A

是否订阅邮箱,这个随意:

1
2
3
4
5
6
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

Certbot 会询问需要在哪个站点启用 HTTPS:

1
2
3
4
5
6
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: shop.bolitao.xyz
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1

安装完后询问是否使用 http -> https 的重定向,看自己的需求选:

1
2
3
4
5
6
7
8
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

以上完毕后会输出一些有用的信息:

  1. 可以到 https://www.ssllabs.com/ssltest/analyze.html?d=域名 测试 SSL
  2. 告知用户证书、配置之类文件存放的位置(及时备份)
  3. 告知证书过期时间及更新证书的方法(certbot 会自动更新证书)
  4. 如果喜欢可以考虑捐赠
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
Congratulations! You have successfully enabled https://xxxxxxxxxxxxx.xxxx

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=xxxx.xxx.xx


IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
xxxxxxxxxxxxxxxxxxxxxxxxxxxx
Your key file has been saved at:
xxxxxxxxxx
Your cert will expire on 2020-02-16. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

手动配置

// TODO

参考

How to Configure NGINX - linode.com
快速入门 - Let’s Encrypt - 免费的SSL/TLS证书 - letsencrypt.org
Configuring HTTPS servers - nginx.org

Author: Boli Tao
Link: https://www.bolitao.xyz/archives/2936ba2.html
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.