Opublikowane przez
instalacja pakietu :
apt-get install letsencrypt
konfiguracja nginx :
server {
listen 80;
server_name example.craftsoft.eu;
root /var/www/html/;
location ~ /.well-known/acme-challenge {
root /var/www/html/;
allow all;
}
}
restart nginx :
service nginx restart
wygenerowanie certyfikatu i klucza:
letsencrypt certonly --webroot --agree-tos --email admin@example.pl -d example.craftsoft.eu -w /var/www/html/
w katalogu /etc/letsencrypt/live/example.craftsoft.eu/ powstają dwa pliki pem:
fullchain.pem privkey.pem
na końcu dopisujemy do configa nginx :
ssl_certificate /etc/letsencrypt/live/example.craftsoft.eu/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.craftsoft.eu/privkey.pem; ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=31536000;
restart nginx :
service nginx restart
i mamy podpisany certyfikat akceptowany przez przeglądarki, etc
przykładowa konfiguracja ssl:
server {
listen 443;
server_name craftsoft.eu;
error_log /var/log/nginx/craftsoft.log;
ssl_certificate /etc/letsencrypt/live/craftsoft.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/craftsoft.eu/privkey.pem;
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security max-age=31536000;
location / {
proxy_pass http://127.0.0.1:9999/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forward-Proto http;
proxy_set_header X-Nginx-Proxy true;
proxy_redirect off;
}
}