从安装Nginx服务器到支持HTTPS
我是船井総研デジタル的よもぎ。
我想在这篇文章中介绍在Azure上部署Ubuntu虚拟机(用作Web服务器)并在部署的虚拟机上安装Apache,并让它支持HTTPS使用Let’s Encrypt。
要在Let’s Encrypt上启用HTTPS,您需要一个域名,该域名必须被解析为虚拟机的全局IP地址。
您可以在任意注册处获取和设置域名。
请查看这篇文章以了解如何安装Apache并支持HTTPS。
安装Nginx
安装的软件包是nginx。
$ apt show nginx 2>/dev/null
Package: nginx
Version: 1.18.0-6ubuntu14.3
Priority: optional
Section: web
Origin: Ubuntu
Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
Original-Maintainer: Debian Nginx Maintainers <pkg-nginx-maintainers@alioth-lists.debian.net>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 50.2 kB
Depends: nginx-core (<< 1.18.0-6ubuntu14.3.1~) | nginx-full (<< 1.18.0-6ubuntu14.3.1~) | nginx-light (<< 1.18.0-6ubuntu14.3.1~) | nginx-extras (<< 1.18.0-6ubuntu14.3.1~), nginx-core (>= 1.18.0-6ubuntu14.3) | nginx-full (>= 1.18.0-6ubuntu14.3) | nginx-light (>= 1.18.0-6ubuntu14.3) | nginx-extras (>= 1.18.0-6ubuntu14.3)
Breaks: libnginx-mod-http-lua (<< 1.18.0-6ubuntu5)
Homepage: https://nginx.net
Download-Size: 3882 B
APT-Manual-Installed: yes
APT-Sources: http://azure.archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
Description: small, powerful, scalable web/proxy server
Nginx ("engine X") is a high-performance web and reverse proxy server
created by Igor Sysoev. It can be used both as a standalone web server
and as a proxy to reduce the load on back-end HTTP or mail servers.
.
This is a dependency package to install either nginx-core (by default),
nginx-full, nginx-light or nginx-extras.
我会立即安装。
$ sudo apt install -y nginx
安装后,可以看到Nginx监听了TCP端口80。
$ sudo ss -tlnp | grep :80
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=2783,fd=6),("nginx",pid=2780,fd=6))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=2783,fd=7),("nginx",pid=2780,fd=7))
$ curl http://127.0.0.1/ 2>/dev/null | grep title
<title>Welcome to nginx!</title>
使其支持HTTPS
为了支持HTTPS,首先需要设置nginx服务器的名称,并重新加载Nginx。
$ grep server_name /etc/nginx/sites-available/default | grep -v '#'
server_name www.example.com;
$ sudo systemctl reload nginx
接下来,安装Certbot软件。
$ sudo apt install -y certbot python3-certbot-nginx
在安装了Certbot之后,您可以获取证书。在过程中,您需要回答一些问题。
$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): username@exmaple.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf. You must
agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y or N
Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: example.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
---snip---
当查看Nginx在此处监听的端口时,可以确认已经监听了TCP443端口。
$ sudo ss -tlnp | grep nginx
LISTEN 0 511 0.0.0.0:80 0.0.0.0:* users:(("nginx",pid=3483,fd=6),("nginx",pid=2780,fd=6))
LISTEN 0 511 0.0.0.0:443 0.0.0.0:* users:(("nginx",pid=3483,fd=12),("nginx",pid=2780,fd=12))
LISTEN 0 511 [::]:80 [::]:* users:(("nginx",pid=3483,fd=7),("nginx",pid=2780,fd=7))
LISTEN 0 511 [::]:443 [::]:* users:(("nginx",pid=3483,fd=11),("nginx",pid=2780,fd=11))
证明书的自动更新设置
因此,设置每两个月的奇数月份的每月1日上午7点更新证书并重新加载Nginx配置。
具体来说,将以下内容添加到cron中。
0 7 1,3,5,7,9,11 * root /usr/bin/certbot renew --webroot-path /var/www/html/ --post-hook "/usr/bin/systemctl reload nginx" > /root/certbot-renew.execlog 2>&1
可以通过以下方式测试Certbot的更新。
$ sudo certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for tsyk.net
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
/etc/letsencrypt/live/example.com/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
另外,Nginx的内容被放置在/var/www/html目录下。
我已经介绍了如何在Ubuntu上安装Nginx并通过Let’s Encrypt启用HTTPS支持。
请提供有关在Azure上部署Ubuntu虚拟机的文章和在Ubuntu上安装Apache并支持HTTPS的文章。
非常感谢您阅读到最后。
