preface
Differences between HTTP and HTTPS
- HTTP is the hypertext transfer protocol,
Data is transmitted in plain text on port 80
- HTTPS is the Secure version of HTTP. S stands for Secure. SSL encryption layer is established on the basis of HTTP
Data encrypted transmission, port 443
Benefits of upgrading HTTPS
- The biggest benefit of upgrading HTTPS in the first place
security
, to prevent data from being maliciously tampered with in transit, and for that reason alone, we should upgrade the site to HTTPS! - Secondly, websites based on HTTPS protocol will have
Higher indexed rankings
- And part of the
The browser will display an unsafe message for non-HTTPS websites, causing users to distrust the website!
The preparatory work
To upgrade the site to HTTPS, we need an SSL certificate, issued by a digital certificate Authority, that encrypts the server’s data transmission! At present, SSL certificates are issued by digital certificate authority such as GeoTrust and free version. The paid version is issued by digital certificate authority such as GeoTrust, which has higher security level, but is also expensive, suitable for “haogi company”. Then there are free versions, such as Let’s Encrypt digital certificate authority, which issues SSL certificates for free, and currently supports universal domain names. For small and medium-sized companies is undoubtedly the best choice.
May some partners say why not ali cloud free certificate, because Ali cloud only support single domain name, do not support multiple domain name and pan-domain name!!
Single domain
: An SSL certificate is valid for only one domain name, for exampleexample.com
And, forapi.example.com
It’s not protectedMany of the domain name
: One SSL certificate can protect multiple domain names, also known as secondary domain names,api.example
Yes, but if you want to add another domain name, you need to generate the certificate againGeneric domain name
: An SSL certificate protects all domain names, known as wildcard domain names,*
If yes is configured*.example.com
All secondary domain names are protected as long as they are in the DNS resolution record.
Let’s Encrypt generates an SSL certificate
Let’s Encrypt There are two common methods for generating certificates: cerbot and arme.sh. In this article, I use arme.sh because CERbot is always incompatible with Centos7 and Arme. sh is easy to install and supports automatic certificate updates!
Please switch to user root before performing the following operations.
Install the acme. Sh
Sh # installation script curl https://get.acme.sh | sh # reload source ~ /. BashrcCopy the code
The.acme.sh directory is generated in the /root directory
Generate a certificate
Acme. sh performs DNS verification by performing DNS resolution records of the current domain name. To perform this step, you need to obtain the authorization of the domain name registrar. Currently, Acme. sh supports Aliyun and Dnspod, etc.
Configure access_key and access_secret of Ali Cloud
Export Ali_Key="AccessKeyId" export Ali_Secret="AccessKeySecret" # Reload configuration source ~/.bashrcCopy the code
Generating a certificate:
- Replace example.com with your own domain name
- Because my server is ali Cloud, so I use DNS_ali, if you are Tencent cloud or others, please click the link above to go to the official website to see how to configure!!
acme.sh --issue --dns dns_ali -d example.come -d *.example.come
Copy the code
There’s a two-minute wait. You’re not stuck! , it will go to the DNS resolution domain…. After 2 minutes, a message indicating Cert Success is successful generates an example.com directory containing the certificate file under ~/.acme.sh, and looks below
Install the certificate
You may generate a cer is not pem, the problem is not big, their replacement suffix, normal configuration can be!! The difference between the two files can be understood by yourself!!
Now you need to install the certificate. Acme.sh provides installCert, which copies the certificate file to /etc/nginx/cert.d/ and automatically updates it. If you create /etc/nginx/cert.d/ or choose your preferred directory!
acme.sh --issue --dns dns_ali -d ygzb.xyz -d *.ygzb.xyz --installcert --key-file /etc/nginx/cert.d/example.com.key --fullchain-file /etc/nginx/cert.d/example.com.pem --reloadcmd "service nginx force-reload"
Copy the code
Configure nginx
Nginx: /etc/nginx/cert.d/ : /etc/nginx/cert.d/ : /etc/nginx/cert.d/ : /etc/nginx/cert.d/
server { listen 443 ssl; Server_name example.come example.come; # domain ssl_certificate "/ etc/nginx/cert. D/ygzb. Xyz. Pem"; # certificate ssl_certificate_key pem file "/ etc/nginx/cert. D/ygzb. Xyz. The key". Ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:! aNULL:! MD5; ssl_prefer_server_ciphers on; server_name ~^(www\.) ? (. +) $; Location / {proxy_pass http://127.0.0.1:8080; # forward}}Copy the code
reference
This article refers to the following articles:
- Use acme.sh to deploy Let’s Encrypt to implement universal domain name HTTPS using Aliyun DNS authentication
- HTTPS upgrade series (1) popular science work before the upgrade
If you successfully upgrade to HTTPS after reading this article, please give it a thumbs up!