如何让网站服务可以免费使用 Https

安装 letsencrypt

sudo apt-get install letsencrypt  

生成证书

letsencrypt certonly --webroot -w /var/www/html/blog -d www.echo500.com  

certonly 表示只颁发证书

--webroot 表示自动验证域名

-w 表示网站目录 一个-w 可对应多个-d

-d 表示颁发证书的域名

该命令会在 /var/www/html/blog（命令中-w）下生成 .well-know\acme-challenge 目录，要保证此目录可以通过 http 访问到

nginx 配置（在/etc/nginx/sites-available 新建https.blog.you-tang.com文件）

server {

    listen   443 ssl;
    ssl on;
    ssl_certificate      /etc/letsencrypt/live/blog.you-tang.com/fullchain.pem;
    ssl_certificate_key  /etc/letsencrypt/live/blog.you-tang.com/privkey.pem;

    ssl_session_timeout 5m;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    server_name blog.you-tang.com;


    index index.php index.html index.htm;
    set $root_path '/data/wwwroot/project';
    root $root_path;
    location / {
           index  index.html index.htm index.php;
            #autoindex  on;

          if (!-e $request_filename) {
            rewrite  ^(.*)$  /index.php?s=/$1  last;
            break;
          }
     }

    location ~ \.php$ {
                fastcgi_pass unix:/run/php/php7.0-fpm.sock;
                #下面两句是给fastcgi权限，可以支持 ?s=/module/controller/action的url访问模式
                fastcgi_split_path_info  ^((?U).+\.php)(/?.+)$;
                fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
                #下面两句才能真正支持 index.php/index/index/index的pathinfo模式
                fastcgi_param  PATH_INFO  $fastcgi_path_info;
                fastcgi_param  PATH_TRANSLATED  $document_root$fastcgi_path_info;
                include        fastcgi_params;
    }

    location ~* ^/(css)/(.+)$ {
        root /var/www/html/blog/wp-includes/css;
    }
    location ~* ^/(js)/(.+)$ {
        root /var/www/html/blog/wp-includes/js;
    }

}

nginx 配置 http 重定向https (在 /etc/nginx/sites-available 新建 http.blog.you-tang.com 文件）

server {
        listen 80;

        server_name blog.you-tang.com;
        rewrite ^(.*) https://$server_name$1 permanent;

}

给这两个文件做个软连接

ln -s /etc/nginx/sites-available/https.blog.you-tang.com /etc/nginx/sites-enabled/https.blog.you-tang.com

ln -s /etc/nginx/sites-available/http.blog.you-tang.com /etc/nginx/sites-enabled/http.blog.you-tang.com

两个文件建立完成 输入nginx -t 检测 配置文件是否正常 正常在重启nginx

apache 配置

找到 apache 端口配置文件 ubuntu 是 /etc/apache2/ports.conf 进行如下设置 Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>

进入/etc/apache/sites-available vim default-ssl.conf 进行如下配置

<IfModule mod_ssl.c>
        <VirtualHost _default_:443>
                DocumentRoot /data/wwwroot/blog
                ServerName blog.you-tang.com
                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined
                SSLEngine on
                SSLCertificateFile      /etc/letsencrypt/live/blog.you-tang.com/fullchain.pem
                SSLCertificateKeyFile  /etc/letsencrypt/live/blog.you-tang.com/privkey.pem
                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>
        </VirtualHost>
</IfModule>

输入 a2enmod ssl 指令开启apache ssl模块 重启apache 运行项目80 自动跳转 https .htaccess配置如下：

<IfModule mod_rewrite.c>
  Options +FollowSymlinks -Multiviews
  RewriteEngine On
  RewriteBase /
  RewriteCond %{SERVER_PORT} !^443$
  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R=301]
  RewriteCond %{REQUEST_FILENAME} !-d
  RewriteCond %{REQUEST_FILENAME} !-f
  RewriteRule ^(.*)$ index.php [L,E=PATH_INFO:$1]
</IfModule>

over!