当前位置: 首页 > Linux > 编译安装Nginx1.14.2和AMCE申请Let's Encrypt证书

编译安装Nginx1.14.2和AMCE申请Let's Encrypt证书

Linux 0条评论 2020-2-2 1,779 views

Nginx作为反向代理服务器或Web服务器为内部业务系统提供服务,编译安装可以自定义模块,非常方便。


第一步、更新系统、下载软件包

  • 编译安装需要gcc等组件支持,需要先安装编译所需的组件;
  • 所有源码文件统一保存到 /usr/local/src/
    yum install -y wget gcc zlib-devel pcre-devel openssl-devel libxml2 libxml2-dev libxslt-devel gcc-c++ autoconf automake  perl-devel perl-ExtUtils-Embed
    cd /usr/local/src
    wget https://nginx.org/download/nginx-1.14.2.tar.gz
    wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz

    第二步、解压缩

    tar zxvf nginx-1.14.2.tar.gz
    tar zxvf openssl-1.1.0e.tar.gz

    第三步、编译配置

    本示例中是最基本的配置,并且指定了nginx安装目录为 /usr/local/nginx,如果需要其他目录,请自行修改;

    ./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid  --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_stub_status_module --with-http_sub_module --with-http_random_index_module --with-http_degradation_module --with-http_secure_link_module --with-http_gzip_static_module --with-http_perl_module --with-file-aio --with-mail --with-mail_ssl_module --with-stream_ssl_module --with-stream --with-ld-opt="-Wl,-E" --with-openssl=/usr/local/src/openssl-1.1.0e --with-stream_ssl_preread_module

    第四步、执行编译

    如果编译过程中出现了缺少包等错误,请安装缺失的依赖包;

    make && make install

    第五步、创建nginx用户和组

    groupadd -f nginx
    useradd -g nginx nginx

    第六步、创建Systemd服务

    cat >/etc/systemd/system/nginx.service <<EOF
    [unit]
    Description=Alex - web server
    Documentation=http://nginx.org/en/docs/
    After=network.target remote-fs.target nss-lookup.target
    [Service]
    Type=forking
    PIDFile=/var/run/nginx.pid
    ExecStartPre=/usr/sbin/nginx -t -c /usr/local/nginx/nginx.conf
    ExecStart=/usr/sbin/nginx -c /usr/local/nginx/nginx.conf
    ExecReload=/bin/kill -s HUP $MAINPID
    ExecStop=/bin/kill -s QUIT $MAINPID
    PrivateTmp=true
    [Install]
    WantedBy=multi-user.target
    EOF

    第七步、配置开机启动服务

    systemctl daemon-reload
    systemctl enable nginx
    nginx -t
    systemctl start nginx

第7步、创建conf.d配置文件目录,修改nginx.conf主配置文件

mkdir /usr/local/nginx/conf.d

mv nginx.conf nginx.conf.ORIG

cat > nginx.conf <<'EOF'
user  nginx;
worker_processes  auto;
pid /run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    error_log  /var/log/nginx_error.log error;
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    # SSL
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # no sslv3 (poodle etc.)
    ssl_prefer_server_ciphers on;
    # Gzip Settings
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 512;
    gzip_types text/plain application/x-javascript text/javascript application/javascript text/xml text/css application/font-sfnt;
    include /usr/local/nginx/conf.d/*.conf;
}
EOF

第八步、创建网站配置文件

http服务配置文件

请根据实际情况进行修改,本示例中是反向代理模式,流量会转发到后台服务器处理,如果使用Nginx部署静态页面,直接使用下面的配置即可;

静态页面示例:

server {
    listen 80;
    server_name www.guoqiangli.com;
    server_tokens off;
    location / {
      root guoqiangli.com;
      index index.html index.htm;
    }
}

反向代理示例:

cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
server {
    listen 80;
    server_name www.guoqiangli.com;
    server_tokens off;
    location / {
          proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://192.168.100.100:8002;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_read_timeout 900s;
    }
}
EOF

https服务配置文件(申请SSL证书后使用)

rm -rf /usr/local/nginx/conf.d/www.guoqiangli.com.conf
cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
## HTTPS host
server {
        listen 443 ssl http2;
        server_name www.guoqiangli.com;
        server_tokens off; ## Don't show the nginx version number, a security best practice
        ## Strong SSL Security
        ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
        ssl on;
        ssl_certificate /usr/local/guoqiangli.com/fullchain.cer;
        ssl_certificate_key /usr/local/guoqiangli.com/guoqiangli.com.key;
        # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SH
A:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
        # ssl_dhparam /etc/ssl/certs/dhparam.pem;
        access_log  /var/log/nginx/guoqiangli.com_access.log;
        error_log   /var/log/nginx/guoqiangli.com_error.log;
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
                proxy_read_timeout 900s;
    }
}
server {
    listen 80;
    server_name www.guoqiangli.com;
    location / {
        return 301 https://$server_name$request_uri;
    }
}
EOF

第九步、热加载Nginx配置

nginx -t
nginx -s reload

第十步、ACME申请Let's Encrypt证书

  • ACME支持申请通配符证书(eg:*.guoqiangli.com)和单域名证书,如果ACME运行在Nginx服务器上,无需对Nginx进行修改即可申请证书;
  • 通配符证书申请要求具备域名提供商的API访问权限;

安装ACME

创建一个目录用于安装证书,并使用在线脚本安装最新版本的ACME。

mkdir -p /usr/local/guoqiangli.com
curl https://get.acme.sh | sh

ACME通过Nginx模式申请证书(选项1)

acme.sh --issue -d www.guoqiangli.com --nginx

ACME通过DNS服务商申请通配符证书(选项2)

  • Ali_KeyAli_Scret需要通过阿里云获取;
  • 可以将export命令加入到 /etc/profile 中;
export Ali_Key=""
export Ali_Scret=""
acme.sh --issue --dns dns_ali -d guoqiangli.com -d *.guoqiangli.com

ACME安装证书到指定路径(选项1)

acme.sh --install-cert -d www.guoqiangli.com --key-file /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /usr/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"

ACME安装证书到指定路径(选项2)

acme.sh --install-cert -d guoqiangli.com -d *.guoqiangli.com --keyfile /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /use/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"

完成、至此Nginx安装完毕,ACME会自动续签证书


标签: ,

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注