当前位置: 首页 > Linux > 编译安装Nginx1.14.2和AMCE申请Let’s Encrypt证书

编译安装Nginx1.14.2和AMCE申请Let’s Encrypt证书

Linux 0条评论 2020-2-2 1,580 views

Nginx作为反向代理服务器或Web服务器为内部业务系统提供服务,编译安装可以自定义模块,非常方便。

第一步、更新系统、下载软件包

  • 编译安装需要gcc等组件支持,需要先安装编译所需的组件;
  • 所有源码文件统一保存到 /usr/local/src/
    yum install -y wget gcc zlib-devel pcre-devel openssl-devel libxml2 libxml2-dev libxslt-devel gcc-c++ autoconf automake  perl-devel perl-ExtUtils-Embed
cd /usr/local/src
wget https://nginx.org/download/nginx-1.14.2.tar.gz
wget https://www.openssl.org/source/openssl-1.1.0e.tar.gz

    第二步、解压缩

    tar zxvf nginx-1.14.2.tar.gz
tar zxvf openssl-1.1.0e.tar.gz

    第三步、编译配置

    本示例中是最基本的配置,并且指定了nginx安装目录为 /usr/local/nginx,如果需要其他目录,请自行修改;

    ./configure --prefix=/usr/local/nginx --sbin-path=/usr/sbin/nginx --conf-path=/usr/local/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid  --lock-path=/var/lock/nginx.lock --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_stub_status_module --with-http_sub_module --with-http_random_index_module --with-http_degradation_module --with-http_secure_link_module --with-http_gzip_static_module --with-http_perl_module --with-file-aio --with-mail --with-mail_ssl_module --with-stream_ssl_module --with-stream --with-ld-opt="-Wl,-E" --with-openssl=/usr/local/src/openssl-1.1.0e --with-stream_ssl_preread_module

    第四步、执行编译

    如果编译过程中出现了缺少包等错误,请安装缺失的依赖包;

    make && make install

    第五步、创建nginx用户和组

    groupadd -f nginx
useradd -g nginx nginx

    第六步、创建Systemd服务

    cat >/etc/systemd/system/nginx.service <<EOF
[unit]
Description=Alex - web server
Documentation=http://nginx.org/en/docs/
After=network.target remote-fs.target nss-lookup.target
[Service]
Type=forking
PIDFile=/var/run/nginx.pid
ExecStartPre=/usr/sbin/nginx -t -c /usr/local/nginx/nginx.conf
ExecStart=/usr/sbin/nginx -c /usr/local/nginx/nginx.conf
ExecReload=/bin/kill -s HUP $MAINPID
ExecStop=/bin/kill -s QUIT $MAINPID
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOF

    第七步、配置开机启动服务

    systemctl daemon-reload
systemctl enable nginx
nginx -t
systemctl start nginx

第7步、创建conf.d配置文件目录,修改nginx.conf主配置文件

mkdir /usr/local/nginx/conf.d

mv nginx.conf nginx.conf.ORIG

cat > nginx.conf <<'EOF'
user  nginx;
worker_processes  auto;
pid /run/nginx.pid;
events {
    worker_connections  1024;
}
http {
    include       mime.types;
    default_type  application/octet-stream;
    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';
    error_log  /var/log/nginx_error.log error;
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    keepalive_timeout  65;
    # SSL
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # no sslv3 (poodle etc.)
    ssl_prefer_server_ciphers on;
    # Gzip Settings
    gzip on;
    gzip_disable "msie6";
    gzip_vary on;
    gzip_min_length 512;
    gzip_types text/plain application/x-javascript text/javascript application/javascript text/xml text/css application/font-sfnt;
    include /usr/local/nginx/conf.d/*.conf;
}
EOF

第八步、创建网站配置文件

http服务配置文件

请根据实际情况进行修改,本示例中是反向代理模式,流量会转发到后台服务器处理,如果使用Nginx部署静态页面,直接使用下面的配置即可;

静态页面示例:

server {
    listen 80;
    server_name www.guoqiangli.com;
    server_tokens off;
    location / {
      root guoqiangli.com;
      index index.html index.htm;
    }
}

反向代理示例:

cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
server {
    listen 80;
    server_name www.guoqiangli.com;
    server_tokens off;
    location / {
          proxy_set_header Host $host;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_pass http://192.168.100.100:8002;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_read_timeout 900s;
    }
}
EOF

https服务配置文件(申请SSL证书后使用)

rm -rf /usr/local/nginx/conf.d/www.guoqiangli.com.conf
cat > /usr/local/nginx/conf.d/www.guoqiangli.com.conf <<'EOF'
## HTTPS host
server {
        listen 443 ssl http2;
        server_name www.guoqiangli.com;
        server_tokens off; ## Don't show the nginx version number, a security best practice
        ## Strong SSL Security
        ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
        ssl on;
        ssl_certificate /usr/local/guoqiangli.com/fullchain.cer;
        ssl_certificate_key /usr/local/guoqiangli.com/guoqiangli.com.key;
        # GitLab needs backwards compatible ciphers to retain compatibility with Java IDEs
        ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SH
A:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        ssl_session_timeout 5m;
        ##   sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
        # ssl_dhparam /etc/ssl/certs/dhparam.pem;
        access_log  /var/log/nginx/guoqiangli.com_access.log;
        error_log   /var/log/nginx/guoqiangli.com_error.log;
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Forwarded-Port $server_port;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_pass http://127.0.0.1;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $connection_upgrade;
        # This allows the ability for the execute shell window to remain open for up to 15 minutes. Without this parameter, the default is 1 minute and will automatically close.
                proxy_read_timeout 900s;
    }
}
server {
    listen 80;
    server_name www.guoqiangli.com;
    location / {
        return 301 https://$server_name$request_uri;
    }
}
EOF

第九步、热加载Nginx配置

nginx -t
nginx -s reload

第十步、ACME申请Let's Encrypt证书

  • ACME支持申请通配符证书(eg:*.guoqiangli.com)和单域名证书,如果ACME运行在Nginx服务器上,无需对Nginx进行修改即可申请证书;
  • 通配符证书申请要求具备域名提供商的API访问权限;

安装ACME

创建一个目录用于安装证书,并使用在线脚本安装最新版本的ACME。

mkdir -p /usr/local/guoqiangli.com
curl https://get.acme.sh | sh

ACME通过Nginx模式申请证书(选项1)

acme.sh --issue -d www.guoqiangli.com --nginx

ACME通过DNS服务商申请通配符证书(选项2)

  • Ali_KeyAli_Scret需要通过阿里云获取;
  • 可以将export命令加入到 /etc/profile 中;
export Ali_Key=""
export Ali_Scret=""
acme.sh --issue --dns dns_ali -d guoqiangli.com -d *.guoqiangli.com

ACME安装证书到指定路径(选项1)

acme.sh --install-cert -d www.guoqiangli.com --key-file /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /usr/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"

ACME安装证书到指定路径(选项2)

acme.sh --install-cert -d guoqiangli.com -d *.guoqiangli.com --keyfile /usr/local/guoqiangli.com/guoqiangli.com.key --fullchain-file /use/local/guoqiangli.com/fullchain.cer --ca-file /usr/local/guoqiangli.com/ca.cert --reloadcmd "nginx -s reload"

完成、至此Nginx安装完毕,ACME会自动续签证书

标签: ,

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注

近期文章

分类目录

归档

  • 标签

    API (1) Automation (1) CentOS (1) Docker (1) ESXi (1) Export (1) Keycloak (1) Linux (4) MAC学习 (1) Nested (1) Network (1) nginx (1) OVA (1) Packer (2) PowerCLI (2) Prometheus (1) Redis (1) SSO (1) Terraform (1) VDS (1) VMware (2) VMware PowerCLI (1) vSphere (4) Windows (1) 分布式交换机 (1)
    • Copyright © 2020 李国强 | 吉ICP备19002182号-1