Title: 10 minutes to open the whole website HTTPS
- https
- ubuntu
Lasted more than a month for the record, today received SMS finally came down.
Part 1 hydrology, roughly documented as a front end using Gitlab.com using Gitlab-CI to enable CI automated deployment. Front-end gitLab’s initial ATTEMPT at CI. This article will begin by documenting how I turned on HTTPS.
What is HTTPS?
What HTTPS is is not the focus of this article, so I will skip it, and the benefits of HTTPS are not covered in detail here.
What is Let’s Encrypt?
When deploying HTTPS websites, a certificate is required and issued by the CA. Most traditional CA organizations charge for issuing certificates, which is not conducive to promoting HTTPS. Let’s Encrypt is also a CA institution, but this CA institution is free!! This means that there is no charge for issuing the certificate.
What is a full-site HTTPS, or wildcard certificate?
A domain name wildcard certificate is similar to the universal domain name concept of DNS resolution. A wildcard certificate means that a certificate can contain a wildcard. Wildcard certificates issued by the primary domain can be used in all subdomains, such as.example.com, bbs.example.com, bbs.example.com. On March 14, 2018, Let’s Encrypt announced that ACME V2 has officially supported wildcard certificates. This means that users can apply for wildcard supported SSL certificates free of charge on Let’s Encrypt. In the past, you had to apply for a separate certificate for each domain name. This means that you can now use the *.example.com certificate to implement HTTPS for the whole site.
The following article is a simple record of my site-wide HTTPS start steps, 10 minutes can be done, first from the blog subdomain.
Start the configuration
The preparatory work
1. A top-level domain name: Peiqixin.com# I'm using here2. An independent cloud server# WHAT I use here is my small water pipe, the wool I used in Tencent Cloud before, the server costs 360 yuan for 6 years, and the server system I use here is Ubuntu
Copy the code
All of the following operations will be performed on your server (mine is Ubuntu 16.04), as well as on other systems.
Add a blog domain name resolution
Download Nginx
Install nginx. Skip this step if you already have it installed.
sudo apt-get update
sudo apt-get install nginx
Copy the code
If you do not know the basic operation and configuration of nginx, it is recommended to learn the basic configuration of nginx, such as how to start a Web server, the basic operation and configuration of nginx (not required).
Download the Certbot client
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install python-certbot-nginx
Copy the code
When you install it, you just press Enter.
Get Let’s Encrypt certificate
Cerbot provides nginx configuration to help us reconfigure our previous Nginx configuration so that we can use the SSL certificates we are about to get.
My domain name is Peiqixin.com. Change this to the domain name you want to configure
sudo certbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.peiqixin.com -d peiqixin.com
Copy the code
And then you have to go all the way and you have to go all the way.
But pay attention to this step, so don’t continue entering for the moment
Please copy this token. Open your domain name provider, which is where you bought the domain name. Add a domain name resolution.
Record selection select TXT host record fill in _ACme-Challenge record value fill in the token you saved just now
After clicking Save, the Certbot client will determine if you have added the parse correctly.
If parsing is added correctly. The following
Which server blocks would you like to modify? ------------------------------------------------------------------------------- 1: File: /etc/nginx/sites-enabled/default Addresses: [::]:80 default_server, 80 default_server Names: _ HTTPS: No ... ------------------------------------------------------------------------------- Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter'c' to cancel):
Copy the code
A list of server blocks in the Nginx configuration is presented for you to choose which server blocks to deploy the certificate to. I don’t need it anyway, so cancel, c, enter.
The following
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
Copy the code
This step lets you choose whether to redirect HTTP traffic to the recommended HTTPS. Since it is site-wide HTTPS, all access should go to HTTPS, and press 2, Enter. To provide the same list as in the previous stage, type C and press Enter to continue.
Next, when you see the following section, you are configured.
Please put the
/etc/letsencrypt/live/peiqixin.com/fullchain.pem
/etc/letsencrypt/live/peiqixin.com/privkey.pem
Copy the code
Write down these two addresses
Configure nginx
sudo nginx -t
Copy the code
Find the address of your nginx configuration file
sudo mkdir conf.d # create a directory to configure nginx. It is not possible to write all the configuration in one file, and it is not easy to maintain later
Copy the code
Add it to the HTTP module of the nginx default configuration file nginx.conf
include /etc/nginx/conf.d/*.conf; Import all configuration files
Copy the code
Conf in the conf.d folder. Create a master configuration file that listens on port 80 and forwards requests.
server {
listen 80;
server_name peiqixin.com www.peiqixin.com blog.peiqixin.com;
rewrite ^(.*) https://$host permanent;
}
Copy the code
Create an HTTPS configuration file. Create each domain name configuration file to listen on port 443 (can be separated by domain name, can also write in a file, I write in a file for convenience)
server {
listen 443;
server_name peiqixin.com www.peiqixin.com;
ssl on;
ssl_certificate /etc/letsencrypt/live/peiqixin.com/fullchain.pem; This is the address you need to record in the last step of configuring CertBotssl_certificate_key /etc/letsencrypt/live/peiqixin.com/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:! aNULL:! MD5; ssl_prefer_server_ciphers on; location / { root /home/ubuntu/blog;The static HTML, JS, and CSS generated by the Hexo blog generator are all in this fileindex index.html index.htm; } } server { listen 443; server_name blog.peiqixin.com; ssl on; ssl_certificate /etc/letsencrypt/live/peiqixin.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/peiqixin.com/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; ssl_ciphers HIGH:! aNULL:! MD5; ssl_prefer_server_ciphers on; location / { root /home/ubuntu/blog; index index.html index.htm; }}Copy the code
Exit the save. Check the nginx configuration for syntax errors
sudo nginx -t
Copy the code
Restart the nginx
Visit blog.peiqixin.com
peiqixin.com
Next I want to add an api.peiqixin.com domain name HTTPS. Repeat the first and last steps above and you will see the small green lock next to the api.Peiqixin.com domain name.
Update the certificate
Because the HTTPS certificate has a 3-month expiration date, and at that point, letsEncrypt will send you an email telling you that your certificate is about to expire. At this point you can rearrange the certificate yourself. (You could also write a timing script, but that’s not the focus of this article, and I didn’t write one.)
Renew // sudo certbot --force-renew sudo certbot --force-renewCopy the code
The resources
- Certbot website
- how-to-deploy-wildcard-ssl-certificates-using-lets-encrypt
- Nginx configure multiple domain names from HTTP to HTTPS