安装 letsencrypt
sudo apt-get install letsencrypt
生成证书
letsencrypt certonly --webroot -w /var/www/html/blog -d www.echo500.com
certonly 表示只颁发证书
--webroot 表示自动验证域名
-w 表示网站目录 一个-w 可对应多个-d
-d 表示颁发证书的域名
该命令会在 /var/www/html/blog(命令中-w)下生成 .well-know\acme-challenge 目录,要保证此目录可以通过 http 访问到
nginx 配置(在/etc/nginx/sites-available 新建https.blog.you-tang.com文件)
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/letsencrypt/live/blog.you-tang.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blog.you-tang.com/privkey.pem;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
server_name blog.you-tang.com;
index index.php index.html index.htm;
set $root_path '/data/wwwroot/project';
root $root_path;
location / {
index index.html index.htm index.php;
#autoindex on;
if (!-e $request_filename) {
rewrite ^(.*)$ /index.php?s=/$1 last;
break;
}
}
location ~ \.php$ {
fastcgi_pass unix:/run/php/php7.0-fpm.sock;
#下面两句是给fastcgi权限,可以支持 ?s=/module/controller/action的url访问模式
fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
#下面两句才能真正支持 index.php/index/index/index的pathinfo模式
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param PATH_TRANSLATED $document_root$fastcgi_path_info;
include fastcgi_params;
}
location ~* ^/(css)/(.+)$ {
root /var/www/html/blog/wp-includes/css;
}
location ~* ^/(js)/(.+)$ {
root /var/www/html/blog/wp-includes/js;
}
}
nginx 配置 http 重定向https (在 /etc/nginx/sites-available 新建 http.blog.you-tang.com 文件)
server {
listen 80;
server_name blog.you-tang.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
给这两个文件做个软连接
ln -s /etc/nginx/sites-available/https.blog.you-tang.com /etc/nginx/sites-enabled/https.blog.you-tang.com
ln -s /etc/nginx/sites-available/http.blog.you-tang.com /etc/nginx/sites-enabled/http.blog.you-tang.com
两个文件建立完成 输入nginx -t 检测 配置文件是否正常 正常在重启nginx
apache 配置
找到 apache 端口配置文件 ubuntu 是 /etc/apache2/ports.conf 进行如下设置 Listen 80
<IfModule ssl_module>
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
进入/etc/apache/sites-available vim default-ssl.conf 进行如下配置
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
DocumentRoot /data/wwwroot/blog
ServerName blog.you-tang.com
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/blog.you-tang.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blog.you-tang.com/privkey.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory /usr/lib/cgi-bin>
SSLOptions +StdEnvVars
</Directory>
</VirtualHost>
</IfModule>
输入 a2enmod ssl 指令开启apache ssl模块 重启apache 运行项目80 自动跳转 https .htaccess配置如下:
<IfModule mod_rewrite.c>
Options +FollowSymlinks -Multiviews
RewriteEngine On
RewriteBase /
RewriteCond %{SERVER_PORT} !^443$
RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME} !-f
RewriteRule ^(.*)$ index.php [L,E=PATH_INFO:$1]
</IfModule>
over!