为你的博客添加Https支持

• 2020 年 1 月 1 日
• 筆記

目前大多个人博客都基本使用的是免费的https证书，而免费的https证书使用的比较多的就是letEncrypt了，它受到了较多大厂的支持，例如Moz,Google等。

Let’s Encrypt安装（ubuntu）

 sudo apt-get install certbot

用let’s Encrypt生成证书

certbot 用法

certbot [子命令] [选项] [-d 域名] [-d 域名] ...  e.g. certbot certonly --standalone -d pinkcle.com -d www.pinkcle.com

-d 指定要生成的域名 –standalone 指定独立于server生成

具体参数请参阅：https://certbot.eff.org/docs/using.html#certbot-command-line-options

注意!!!:生成证书的域名必须能dns才行，否则会生成失败

生成完成后 在/etc/letsencrypt/live 目录下生成对应域名的key信息：

/etc/letsencrypt/live/pinkcle.com/fullchain.pem /etc/letsencrypt/live/pinkcle.com/privkey.pem

如果有api server或者二级域名，直接替换生成

certbot certonly –standalone -d api.pinkcle.com /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem /etc/letsencrypt/live/api.pinkcle.com/privkey.com

然后将key配置到nginx就好了

下面列出blog的nginx配置

server{      listen 80;      server_name pinkcle.com www.pinkcle.com;      root /usr/blog;        #to https      rewrite ^(.*)$ https//$host$1 permanent;        location / {          sendfile on;          try_files $uri $uri/ =404;      }  }    #站点静态文件nginx  server {          listen 443 ssl;            ssl_certificate /etc/letsencrypt/live/pinkcle.com/fullchain.pem;          ssl_certificate_key /etc/letsencrypt/live/pinkcle.com/privkey.pem;            root /usr/blog;            # Add index.php to the list if you are using PHP          index index.html index.htm index.nginx-debian.html;            server_name pinkcle.com www.pinkcle.com;            location / {                  sendfile on;                  # First attempt to serve request as file, then                  # as directory, then fall back to displaying a 404.                  try_files $uri $uri/ =404;          }          location ^~ /blogdata/ {                  root /;                  sendfile on;                  try_files $uri $uri/ =404;          }  }    #站点api server  server {          listen 443;          ssl on;            ssl_certificate /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem;          ssl_certificate_key /etc/letsencrypt/live/api.pinkcle.com/privkey.pem;            server_name api.pinkcle.com;            location / {                   # avoid cors problem                  if ( $http_origin ~* (^http(s)?://.*(www.)?pinkcle.com$) ){                          add_header 'Access-Control-Allow-Origin' '$http_origin';                          add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';                          add_header 'Access-Control-Allow-Headers' 'Origin,Authorization,Accept';                                          add_header 'Access-Control-Allow-Credentials' 'true';                  }                  proxy_set_header X-Real_IP $remote_addr;                  proxy_set_header Host $http_host;                  proxy_pass http://127.0.0.1:8080/api/;          }  }

然后重启一下nginx

sudo service nginx restart

浏览器中访问一下 http://pinck.com 和 https://pinkcle.com 发现网站已经有安全标识了