Using Let's Encrypt with nginx in Ubuntu

發表於 | 分類於

使用 certbot 在 Ubuntu 上產生 Let’s Encrypt 的憑證,並套用到 Nginx 上

Nginx 設定的部分可以參考這個工具 https://nginxconfig.io/

Generate a stronger DHE parameter

1
openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096

File /etc/nginx/snippets/ssl-dev.gclin.org.conf

1
2
ssl_certificate /etc/letsencrypt/live/dev.gclin.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/dev.gclin.org/privkey.pem;

File /etc/nginx/snippets/ssl-params.conf

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# from https://cipherli.st/
# and https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
# Disable preloading HSTS for now.  You can use the commented out header line that includes
# the "preload" directive if you understand the implications.
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

ssl_dhparam /etc/ssl/certs/dhparam.pem;

Install Certbot

1
2
3
4
5
apt update
apt install software-properties-common
add-apt-repository ppa:certbot/certbot
apt update
apt install certbot

Obtaining an SSL Certificate

1
certbot certonly --webroot -w /var/www/html -d dev.gclin.org

File /etc/nginx/sites-available/dev.gclin.org

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
server {
   listen 80;
   listen [::]:80;

   server_name dev.gclin.org;
   return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

   server_name dev.gclin.org;
   include snippets/ssl-dev.gclin.org.conf;
   include snippets/ssl-params.conf;

   root /DevEnv/web/dev.gclin.org/public;
   index index.php index.html index.htm index.nginx-debian.html;

   location / {
      # First attempt to serve request as file, then
      # as directory, then fall back to displaying a 404.
      try_files $uri $uri/ /index.php?$query_string;
   }

   location ~ \.php$ {
      include snippets/fastcgi-php.conf;
      fastcgi_pass unix:/run/php/php7.1-fpm.sock;
   }

   location ~ /\.ht {
      deny all;
   }
}

Reference