The original

Since IOS is trying to kill HTTP requests, take the time to add HTTPS support to the Web services you just deployed.

Use Let’s Encrypt, which is free for 90 days and renewable indefinitely

Let’s Encrypt is a CA of conscience because the price of a normal commercial CA is still prohibitions for individuals. But it does offer a 90-day free certificate.

Obtaining certificates is also simple, as it provides a fully automated solution:

## Place path
mkdir /var/www/letsencrypt
sudo apt-get install certbot
sudo certbot certonly --webroot --agree-tos --no-eff-email --email [email protected] -w /var/www/letsencrypt -d app.airoubo.com
Copy the code

The application is ok.

Configure Nginx

Create the challenge directory:

sudo mkdir -p /var/www/letsencrypt/.well-known/acme-challenge
Copy the code

Create letsencrypt. Conf file, and add: / etc/nginx/snippets letsencrypt. Conf

location^ ~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/www/letsencrypt;
}
Copy the code

Create an SSL. The conf file, and add: / etc/nginx/snippets/SSL. Conf

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;

ssl_protocols TLSv1.2;
ssl_ciphers EECDH+AESGCM:EECDH+AES;
ssl_ecdh_curve secp384r1;
ssl_prefer_server_ciphers on;

ssl_stapling on;
ssl_stapling_verify on;

add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
Copy the code

Modifying the master configuration file:

# the upstream component nginx needs to connect to
upstream django {
    server unix:///data/django/rouboApi/rouboapi.scok; # for a file socket
    # server 127.0.0.1:8001; # for a web port socket (we'll use this first)
}

# configuration of the server
server {
    # the port your site will be served on
    listen      80;
    # the domain name it will serve for
    server_name app.airoubo.com; # substitute your machine's IP address or FQDN
    include /etc/nginx/snippets/letsencrypt.conf;
    charset     utf-8;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    #location /media {
    # alias /path/to/your/mysite/media; # your Django project's media files - amend as required
    #}

    location /static {
        alias /data/django/rouboApi/static; # your Django project's static files - amend as required
    }

    # Finally, send all non-media requests to the Django server.
    location /roubo {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed}}## https

server {
    # the port your site will be served on
    listen      443 ssl http2;
    listen[: :] :443 ssl http2;
    # the domain name it will serve for
    server_name app.airoubo.com; # substitute your machine's IP address or FQDN
    include /etc/nginx/snippets/letsencrypt.conf;
    charset     utf-8;

    ssl_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.airoubo.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/app.airoubo.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

    # max upload size
    client_max_body_size 75M;   # adjust to taste

    # Django media
    #location /media {
    # alias /path/to/your/mysite/media; # your Django project's media files - amend as required
    #}

    location /static {
        alias /data/django/rouboApi/static; # your Django project's static files - amend as required
    }

    # Finally, send all non-media requests to the Django server.
    location /roubo {
        uwsgi_pass  django;
        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed}}Copy the code

After you restart Nginx, you can access the service using HTTPS.

Automatic renewal

Although there is a 90-day period, unlimited renewals are supported. So we just have to renew it on a regular basis.

Using the certbot tool above, you can look at man Certbot, which has a renew parameter under it to update the certificate. Renew -hook () {renew-hook () {renew-hook ();}

We are in the/etc/letsencrypt renewhook. Sh scripts to join restart nginx action:

#! /bin/bash
service nginx restart
Copy the code

Add crontab to root:

sudo crontab -e
Copy the code

Set the update to be executed at 8 o ‘clock on the 1st of each month:

00 8 1 * * certbot renew --noninteractive --renew-hook /etc/letsencrypt/renewhook.sh
Copy the code

Beep beep beep beep

About the CA certificate distribution, management, and so on principle, have time to understand, although usually used not much. Documentation – Let’s encrypt-free SSL/TLS Certificates