Advertisement
cloudtuts

手動安裝Let's Encrypt

Jun 19th, 2018
251
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Bash 2.58 KB | None | 0 0
  1. #1.下載Let's encrypt
  2. sudo apt-get update
  3. sudo apt-get install git
  4. sudo git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
  5.  
  6. ----------------------------------------------------------------------------------------
  7.  
  8. #2. 申請證書 Root Domain (subdomain刪掉後面的-d www.$domain)
  9. #網站根目錄資料夾請按照實際狀況填寫
  10. read -p "Enter domain: " domain
  11. /opt/letsencrypt/letsencrypt-auto certonly --agree-tos --email 信箱@gmail.com --webroot -w /var/www/$domain/htdocs -d $domain -d www.$domain
  12.  
  13. ----------------------------------------------------------------------------------------
  14.  
  15. #3. 安裝證書
  16. #寫在 /etc/nginx/sites-available/域名.conf 或是 這個檔案裡頭有include的資料夾下自創新檔案
  17. #存擋後 nginx -t && service nginx reload
  18. #查詢設定:https://mozilla.github.io/server-side-tls/ssl-config-generator/
  19. #參考設定:
  20. listen 443 ssl http2;
  21. ssl on;
  22. ssl_certificate     /etc/letsencrypt/live/域名/fullchain.pem;
  23. ssl_certificate_key     /etc/letsencrypt/live/域名/privkey.pem;
  24.  
  25.     # intermediate configuration. tweak to your needs.
  26.     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
  27.     ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  28.     ssl_prefer_server_ciphers on;
  29.  
  30.     # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
  31.     add_header Strict-Transport-Security max-age=15768000;
  32.  
  33.     # OCSP Stapling ---
  34.     # fetch OCSP records from URL in ssl_certificate and cache them
  35.     ssl_stapling on;
  36.     ssl_stapling_verify on;
  37.  
  38. ----------------------------------------------------------------------------------------
  39.  
  40. #4. http轉https
  41. #寫在 /etc/nginx/sites-available/域名.conf 檔案的最上面 或是 /etc/nginx/nginx.conf這個檔案裡頭有include的資料夾下自創新檔案,像是/etc/nginx/conf.d
  42. #存擋後 nginx -t && service nginx reload
  43. server {
  44.         listen 80;
  45.         server_name www.域名 域名;
  46.         return 301 https://域名$request_uri;
  47. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement