Nginx SSL 지원 https 오픈
16861 단어 Linux
Nginx 설정 확인 하기
실행
nginx -V
-bash-4.2# nginx -V
nginx version: nginx/1.15.8
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -fPIC' --with-ld-opt='-Wl,-z,relro -Wl,-z,now -pie'
설정 에 있 는 지 확인 하기
--with-http_ssl_module
SSL 을 신청 한 도 메 인 이름과 서버 의 IP 가 일치 하도록 보장 합 니 다. 즉, 도 메 인 이름 은 서버 에 분 석 된 것 이 확실 합 니 다. nslookup 명령 으로 조회 할 수 있 습 니 다.실행
nslookup www.yourwebsite.com
알림 -bash: nslookup: command not found
은 다음 명령 을 수행 해 야 합 니 다.yum install bind-utils
-bash-4.2# yum install bind-utils
...
Installed:
bind-utils.x86_64 32:9.9.4-73.el7_6
Dependency Installed:
bind-libs.x86_64 32:9.9.4-73.el7_6
Complete!
설치 완료 실행 중
nslookup www.yourwebsite.com
-bash-4.2# nslookup pangge.info
Server: xxx.xxx.xxx.xxx
Address: xxx.xxx.xxx.xxx#xx
Non-authoritative answer:
Name: xxxxx.xxxx
Let 's Encrypt 는 인증 서 를 할당 할 때 도 메 인 이름 으로 분 석 된 서버 와 일치 하 는 지 확인 합 니 다.
git 와 bc 설치,
yum install -y git bc
실행 yum -y install yum-utils
실행 yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-server-optional
실행 yum install certbot python2-certbot-nginx
실행 yum install -y git python27
실행 yum install -y augeas-libs dialog gcc libffi-devel openssl-devel python-devel
실행 yum install python-argparse
실행 service nginx stop
실행 certbot --nginx certonly --standalone -email [email protected] -d pangge.info
아래 의 오류 알림 을 보면 실행 할 수 있 습 니 다 pip install requests urllib3 pyOpenSSL --force --upgrade
-bash-4.2# certbot --nginx certonly --standalone -email [email protected] -d pangge.info
Traceback (most recent call last):
File "/usr/bin/certbot", line 9, in
load_entry_point('certbot==0.30.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 570, in load_entry_point
return get_distribution(dist).load_entry_point(group, name)
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2751, in load_entry_point
return ep.load()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2405, in load
return self.resolve()
File "/usr/lib/python2.7/site-packages/pkg_resources/__init__.py", line 2411, in resolve
module = __import__(self.module_name, fromlist=['__name__'], level=0)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 18, in
from certbot import account
File "/usr/lib/python2.7/site-packages/certbot/account.py", line 18, in
from acme import messages
File "/usr/lib/python2.7/site-packages/acme/messages.py", line 8, in
from acme import challenges
File "/usr/lib/python2.7/site-packages/acme/challenges.py", line 12, in
import requests
File "/usr/lib/python2.7/site-packages/requests/__init__.py", line 58, in
from . import utils
File "/usr/lib/python2.7/site-packages/requests/utils.py", line 32, in
from .exceptions import InvalidURL
File "/usr/lib/python2.7/site-packages/requests/exceptions.py", line 10, in
from .packages.urllib3.exceptions import HTTPError as BaseHTTPError
File "/usr/lib/python2.7/site-packages/requests/packages/__init__.py", line 95, in load_module
raise ImportError("No module named '%s'" % (name,))
ImportError: No module named 'requests.packages.urllib3'
실행
pip install requests urllib3 pyOpenSSL --force --upgrade
-bash-4.2# pip install requests urllib3 pyOpenSSL --force --upgrade
Collecting requests
Downloading https://files.pythonhosted.org/packages/7d/e3/20f3d364d6c8e5d2353c72a67778eb189176f08e873c9900e10c0287b84b/requests-2.21.0-py2.py3-none-any.whl (57kB)
100% |████████████████████████████████| 61kB 19kB/s
Collecting urllib3
Downloading https://files.pythonhosted.org/packages/62/00/ee1d7de624db8ba7090d1226aebefab96a2c71cd5cfa7629d6ad3f61b79e/urllib3-1.24.1-py2.py3-none-any.whl (118kB)
100% |████████████████████████████████| 122kB 24kB/s
Collecting pyOpenSSL
Downloading https://files.pythonhosted.org/packages/01/c8/ceb170d81bd3941cbeb9940fc6cc2ef2ca4288d0ca8929ea4db5905d904d/pyOpenSSL-19.0.0-py2.py3-none-any.whl (53kB)
100% |████████████████████████████████| 61kB 17kB/s
Collecting chardet<3.1.0,>=3.0.2 (from requests)
Downloading https://files.pythonhosted.org/packages/bc/a9/01ffebfb562e4274b6487b4bb1ddec7ca55ec7510b22e4c51f14098443b8/chardet-3.0.4-py2.py3-none-any.whl (133kB)
100% |████████████████████████████████| 143kB 28kB/s
Collecting idna<2.9,>=2.5 (from requests)
Downloading https://files.pythonhosted.org/packages/14/2c/cd551d81dbe15200be1cf41cd03869a46fe7226e7450af7a6545bfc474c9/idna-2.8-py2.py3-none-any.whl (58kB)
100% |████████████████████████████████| 61kB 19kB/s
Collecting certifi>=2017.4.17 (from requests)
Downloading https://files.pythonhosted.org/packages/9f/e0/accfc1b56b57e9750eba272e24c4dddeac86852c2bebd1236674d7887e8a/certifi-2018.11.29-py2.py3-none-any.whl (154kB)
100% |████████████████████████████████| 163kB 19kB/s
Collecting cryptography>=2.3 (from pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/17/fd/4c2c8953a9dfe38fbe0c3adafb6355540bd98cef70cc82734acb0a4c0e2f/cryptography-2.5-cp27-cp27mu-manylinux1_x86_64.whl (2.4MB)
100% |████████████████████████████████| 2.4MB 27kB/s
Collecting six>=1.5.2 (from pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/73/fb/00a976f728d0d1fecfe898238ce23f502a721c0ac0ecfedb80e0d88c64e9/six-1.12.0-py2.py3-none-any.whl
Collecting enum34; python_version < "3" (from cryptography>=2.3->pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/c5/db/e56e6b4bbac7c4a06de1c50de6fe1ef3810018ae11732a50f15f62c7d050/enum34-1.1.6-py2-none-any.whl
Collecting asn1crypto>=0.21.0 (from cryptography>=2.3->pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/ea/cd/35485615f45f30a510576f1a56d1e0a7ad7bd8ab5ed7cdc600ef7cd06222/asn1crypto-0.24.0-py2.py3-none-any.whl (101kB)
100% |████████████████████████████████| 102kB 10kB/s
Collecting cffi!=1.11.3,>=1.8 (from cryptography>=2.3->pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/9f/1f/f825741ebadb8497d1c3ec954062f1e09e97881618eecc9ef7c5c7ff8bbb/cffi-1.12.1-cp27-cp27mu-manylinux1_x86_64.whl (413kB)
100% |████████████████████████████████| 419kB 49kB/s
Collecting ipaddress; python_version < "3" (from cryptography>=2.3->pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/fc/d0/7fc3a811e011d4b388be48a0e381db8d990042df54aa4ef4599a31d39853/ipaddress-1.0.22-py2.py3-none-any.whl
Collecting pycparser (from cffi!=1.11.3,>=1.8->cryptography>=2.3->pyOpenSSL)
Downloading https://files.pythonhosted.org/packages/68/9e/49196946aee219aead1290e00d1e7fdeab8567783e83e1b9ab5585e6206a/pycparser-2.19.tar.gz (158kB)
100% |████████████████████████████████| 163kB 13kB/s
Installing collected packages: urllib3, chardet, idna, certifi, requests, enum34, asn1crypto, pycparser, cffi, six, ipaddress, cryptography, pyOpenSSL
Found existing installation: urllib3 1.22
Uninstalling urllib3-1.22:
Successfully uninstalled urllib3-1.22
Found existing installation: chardet 3.0.4
Uninstalling chardet-3.0.4:
Successfully uninstalled chardet-3.0.4
Found existing installation: idna 2.4
Uninstalling idna-2.4:
Successfully uninstalled idna-2.4
Found existing installation: certifi 2017.7.27.1
Uninstalling certifi-2017.7.27.1:
Successfully uninstalled certifi-2017.7.27.1
Found existing installation: requests 2.6.0
DEPRECATION: Uninstalling a distutils installed project (requests) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling requests-2.6.0:
Successfully uninstalled requests-2.6.0
Found existing installation: enum34 1.0.4
DEPRECATION: Uninstalling a distutils installed project (enum34) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling enum34-1.0.4:
Successfully uninstalled enum34-1.0.4
Found existing installation: pycparser 2.14
Uninstalling pycparser-2.14:
Successfully uninstalled pycparser-2.14
Running setup.py install for pycparser ... done
Found existing installation: cffi 1.6.0
Uninstalling cffi-1.6.0:
Successfully uninstalled cffi-1.6.0
Found existing installation: six 1.9.0
Uninstalling six-1.9.0:
Successfully uninstalled six-1.9.0
Found existing installation: ipaddress 1.0.16
DEPRECATION: Uninstalling a distutils installed project (ipaddress) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling ipaddress-1.0.16:
Successfully uninstalled ipaddress-1.0.16
Found existing installation: cryptography 1.7.2
Uninstalling cryptography-1.7.2:
Successfully uninstalled cryptography-1.7.2
Found existing installation: pyOpenSSL 0.13.1
DEPRECATION: Uninstalling a distutils installed project (pyOpenSSL) has been deprecated and will be removed in a future version. This is due to the fact that uninstalling a distutils project will only partially uninstall the project.
Uninstalling pyOpenSSL-0.13.1:
Successfully uninstalled pyOpenSSL-0.13.1
Successfully installed asn1crypto-0.24.0 certifi-2018.11.29 cffi-1.12.1 chardet-3.0.4 cryptography-2.5 enum34-1.1.6 idna-2.8 ipaddress-1.0.22 pyOpenSSL-19.0.0 pycparser-2.19 requests-2.18.4 six-1.12.0 urllib3-1.24.1
You are using pip version 8.1.2, however version 19.0.3 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
실행
pip install requests==2.6.0
-bash-4.2# certbot --nginx certonly -d pangge.info
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [email protected]
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: A
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for pangge.info
Using default address 80 for authentication.
nginx: [error] invalid PID number "" in "/var/run/nginx.pid"
Waiting for verification...
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/pangge.info/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/pangge.info/privkey.pem
Your cert will expire on 2019-05-27. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
실행
yum install openssl
여기까지 필요 한 환경 을 설정 하 였 습 니 다. 지금부터 Nginx 를 설정 합 니 다.이 디 렉 터 리
/etc/letsencrypt/live/
를 기억 하 세 요. 이따가 사용 해 야 합 니 다.nginx 프로필 을 수정 합 니 다. 여 기 는
/etc/nginx/nginx.conf
이 디 렉 터 리 아래 default. conf 파일 이 있 습 니 다.아래 와 대조 하여 그것 을 수정 하 다.
server {
listen 80;
server_name localhost;
return 301 https://pangge.info$request_uri;
}
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/letsencrypt/live/pangge.info/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/pangge.info/privkey.pem;
#ssl_client_certificate ca.crt;#
#ssl_verify_client on; #
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
#charset koi8-r;
#access_log /var/log/nginx/host.access.log main;
location / {
root /usr/share/nginx/html;
index index.php index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:8080
#
location ~ \.php$ {
proxy_pass http://127.0.0.1:8080;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
그리고 이 제 는 도 메 인 이름 에 https 를 통 해 만 접근 할 수 있 도록 전체 사이트 에서 SSL 을 엽 니 다.
이 내용에 흥미가 있습니까?
현재 기사가 여러분의 문제를 해결하지 못하는 경우 AI 엔진은 머신러닝 분석(스마트 모델이 방금 만들어져 부정확한 경우가 있을 수 있음)을 통해 가장 유사한 기사를 추천합니다:
바이너리 파일cat 또는tail, 터미널 디코딩 시 처리 방법cat으로 바이너리 파일을 보려고 할 때 코드가 엉망이 되어 식은땀이 났다. 웹에서 스크롤된 정보의 처리 방법과alias의 설정을 요약합니다. reset 명령을 사용하여 터미널을 재설정합니다.이렇게 하면 고치지 못하...
텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
CC BY-SA 2.5, CC BY-SA 3.0 및 CC BY-SA 4.0에 따라 라이센스가 부여됩니다.