使用https,并将WWW跳转到NONWWW

0x01: 背景

博客经常不更新&＃xff0c;服务器还时不时挂掉一次&＃xff0c;导致 PageRank 基本是负的了&＃xff0c;不过技术上要跟的上更新啊! 微信小程序接口必须是 https, 这次就当是练手了。

0x02: 整体思路流程

确保自己的域名解析全部是 A 记录
使用 Let&＃39;s Encrypt 证书&＃xff0c; Certbot 安装证书
使用 Crontab 自动 Renew 证书
配置 Nginx ,SSL Server
将 HTTP 跳转到 HTTPS , 将 WWW 跳转到 NON-WWW
用检测工具检测一下自己 HTTPS 的评级

0x03: 检查自己的域名解析是否是A记录

刚开始使用 Certbot 安装证书的时候&＃xff0c;老是报错&＃xff0c;经过搜索发现&＃xff0c;原来自己的域名有 CNAME 解析的。所以在安装证书钱&＃xff0c;请确保自己的域名都是A记录解析

0x04: 使用免费的 Let&＃39;s Encrypt 证书

关于免费的证书&＃xff0c;这里有其他选项可供选择&＃xff1a;

阿里云免费的 : Symantec 证书
Let&＃39;s Encrypt &＃xff1a;免费证书
一站式解决方案&＃xff1a; cloudflare

根据 Lets&＃39; Encrypt 官网说明&＃xff0c;我们使用推荐的 Certbot 安装我们的证书。当然你也可以选择 acme-tiny 来安装证书。
我的服务器环境是 CentOS 7 和 Nginx/1.10.1&＃xff0c; 这里强烈推荐大家将Nginx 升级到最新的版本&＃xff0c;新版本在SSL配置上比较省事。

//安装Certbot sudo yum install certbot//安装命令很简单&＃xff0c; -w 后面跟网站根目录&＃xff0c; -d 就是你要添加证书的域名&＃xff0c;如果有多个域名&＃xff0c;多个-d就可以了 certbot certonly --webroot -w /var/www/example -d example.com -d www.example.com

如果顺利&＃xff0c;他会提示出安装成功&＃xff0c;证书会保存在 /etc/letsencrypt/live/example.com/ 里面。

0x05: 使用 Crontab 定时Renew 证书

因为是免费证书&＃xff0c; 所以有一个有效期是90天&＃xff0c;到期之后需要 Renew 一下。官方推荐是每天检查用任务 Renew 两次&＃xff0c;因为如果证书没过期&＃xff0c;他就只是检测一下&＃xff0c;并不会做其他操作。这里我们设置的定时任务是每天检查一次。

$ crontab -e10 6 * * * certbot renew --quiet//列出任务看看是否添加成功 $ crontab -l

0x06: 配置NGINX&＃xff0c; SSL Server

节约生命&＃xff0c;请使用神器&＃xff1a; Mozilla出品的 SSL配置生成器
使用生成器需要填写 nginx 和 openssl 版本&＃xff0c; 用下面命令进行查看

//查看nginx版本 nginx -v //查看openssl 版本 yum info openssl //如果需要更新openssl yum update openssl

下面就是我生成的配置&＃xff08;nginx: 1.10.1, openssl: 1.0.1e&＃xff09;

server {server_name example.com wwww.example.com;# Redirect all HTTP requests to HTTPS with a 301 Moved Permanently response.return 301 https://example.com$request_uri; }server {listen 443 ssl http2;listen [::]:443 ssl http2;# certs sent to the client in SERVER HELLO are concatenated in ssl_certificatessl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;ssl_session_timeout 1d;ssl_session_cache shared:SSL:50m;ssl_session_tickets off;# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bitsssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;# intermediate configuration. tweak to your needs.ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers &＃39;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&＃39;;ssl_prefer_server_ciphers on;# HSTS (ngx_http_headers_module is required) (15768000 seconds &＃61; 6 months)add_header Strict-Transport-Security max-age&＃61;15768000;# OCSP Stapling ---# fetch OCSP records from URL in ssl_certificate and cache themssl_stapling on;ssl_stapling_verify on;## verify chain of trust of OCSP response using Root CA and Intermediate certs#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;#resolver ;server_name example.com;index index.html;root /home/wwwroot/example.com;location ~ .*\.(ico|gif|jpg|jpeg|png|bmp|swf)${access_log off;expires 1d;}location ~ .*\.(js|css|txt|xml)?${access_log off;expires 12h;}location / {try_files $uri $uri/ &＃61;404;}access_log /home/wwwlogs/example.com.log access; }

上面配置的第一个 Server 将所有的 http 请求跳转到 https 请求上。其中 ssl_dhparam 这个参数的 .pem 用下面命令生成&＃xff1a;

openssl dhparam -out /etc/letsencrypt/live/example.com/dhparam.pem 2048

现在加上https看一下效果吧&＃xff01;

0x07: 将WWW跳转到NON-WWW

为了SEO,网站使用 WWW 前缀&＃xff0c;或者全部不使用 WWW,要实现的效果就是将下面三种情况&＃xff0c;
统统跳转到 https://example.com

http://example.com http://www.example.com https://www.example.com

0x06中的配置&＃xff0c;第一个 server 已经将处理好钱两种情况&＃xff0c; 现在来处理第三种情况。
这个配置主要需要注意的是&＃xff0c;这里也要加上所有的 ssl 配置参数。

server {listen 443 ssl http2;listen [::]:443 ssl http2;# certs sent to the client in SERVER HELLO are concatenated in ssl_certificatessl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;ssl_trusted_certificate /etc/letsencrypt/live/example.com/chain.pem;ssl_session_timeout 1d;ssl_session_cache shared:SSL:50m;ssl_session_tickets off;# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bitsssl_dhparam /etc/letsencrypt/live/example.com/dhparam.pem;# intermediate configuration. tweak to your needs.ssl_protocols TLSv1 TLSv1.1 TLSv1.2;ssl_ciphers &＃39;ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS&＃39;;ssl_prefer_server_ciphers on;# HSTS (ngx_http_headers_module is required) (15768000 seconds &＃61; 6 months)add_header Strict-Transport-Security max-age&＃61;15768000;# OCSP Stapling ---# fetch OCSP records from URL in ssl_certificate and cache themssl_stapling on;ssl_stapling_verify on;## verify chain of trust of OCSP response using Root CA and Intermediate certs#ssl_trusted_certificate /path/to/root_CA_cert_plus_intermediates;server_name www.example.com;return 301 https://example.com$request_uri; }