為你的部落格添加Https支援

• 2020 年 1 月 1 日
• 筆記

目前大多個人部落格都基本使用的是免費的https證書，而免費的https證書使用的比較多的就是letEncrypt了，它受到了較多大廠的支援，例如Moz,Google等。

Let』s Encrypt安裝（ubuntu）

 sudo apt-get install certbot

用let』s Encrypt生成證書

certbot 用法

certbot [子命令] [選項] [-d 域名] [-d 域名] ...  e.g. certbot certonly --standalone -d pinkcle.com -d www.pinkcle.com

-d 指定要生成的域名 –standalone 指定獨立於server生成

具體參數請參閱：https://certbot.eff.org/docs/using.html#certbot-command-line-options

注意!!!:生成證書的域名必須能dns才行，否則會生成失敗

生成完成後 在/etc/letsencrypt/live 目錄下生成對應域名的key資訊：

/etc/letsencrypt/live/pinkcle.com/fullchain.pem /etc/letsencrypt/live/pinkcle.com/privkey.pem

如果有api server或者二級域名，直接替換生成

certbot certonly –standalone -d api.pinkcle.com /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem /etc/letsencrypt/live/api.pinkcle.com/privkey.com

然後將key配置到nginx就好了

下面列出blog的nginx配置

server{      listen 80;      server_name pinkcle.com www.pinkcle.com;      root /usr/blog;        #to https      rewrite ^(.*)$ https//$host$1 permanent;        location / {          sendfile on;          try_files $uri $uri/ =404;      }  }    #站點靜態文件nginx  server {          listen 443 ssl;            ssl_certificate /etc/letsencrypt/live/pinkcle.com/fullchain.pem;          ssl_certificate_key /etc/letsencrypt/live/pinkcle.com/privkey.pem;            root /usr/blog;            # Add index.php to the list if you are using PHP          index index.html index.htm index.nginx-debian.html;            server_name pinkcle.com www.pinkcle.com;            location / {                  sendfile on;                  # First attempt to serve request as file, then                  # as directory, then fall back to displaying a 404.                  try_files $uri $uri/ =404;          }          location ^~ /blogdata/ {                  root /;                  sendfile on;                  try_files $uri $uri/ =404;          }  }    #站點api server  server {          listen 443;          ssl on;            ssl_certificate /etc/letsencrypt/live/api.pinkcle.com/fullchain.pem;          ssl_certificate_key /etc/letsencrypt/live/api.pinkcle.com/privkey.pem;            server_name api.pinkcle.com;            location / {                   # avoid cors problem                  if ( $http_origin ~* (^http(s)?://.*(www.)?pinkcle.com$) ){                          add_header 'Access-Control-Allow-Origin' '$http_origin';                          add_header 'Access-Control-Allow-Methods' 'POST,GET,OPTIONS';                          add_header 'Access-Control-Allow-Headers' 'Origin,Authorization,Accept';                                          add_header 'Access-Control-Allow-Credentials' 'true';                  }                  proxy_set_header X-Real_IP $remote_addr;                  proxy_set_header Host $http_host;                  proxy_pass http://127.0.0.1:8080/api/;          }  }

然後重啟一下nginx

sudo service nginx restart

瀏覽器中訪問一下 http://pinck.com 和 https://pinkcle.com 發現網站已經有安全標識了