Recently, my website was hacked. Netizens said why you don’t use https, but also use http. He said that by using https, his website is safe. I looked up cerbot let's encrypt. I found the original text below and realized the transformation from http to https on my host, making my website a little safer. This environment is ubunt20 with nginx installed. This article assumes that the configured domain name is example.com, of course you have to use your own domain name in actual situations.
If you don’t have or don’t know much about nginx, you can see Getting Started with nginx Configuration
The original content of the study is: How To Secure Nginx with Let's Encrypt on Ubuntu 20.04
Introduction
Let's Encrypt is a certificate authority (CA) that provides an easy way to obtain and install a free TLS/SSL certificate so that encrypted HTTPS can be enabled on the web server. It simplifies the process by providing a software client, Certbot, which attempts to automate most (if not all) of the required steps. Currently, on Apache and Nginx, the entire process of obtaining and installing certificates is fully automated.
In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set the certificate to automatically renew.
This tutorial will use a separate Nginx server configuration file instead of the default file. It is recommended to create an Nginx server block file for each domain name, as it helps avoid common mistakes and keep the default file as a fallback configuration.
Install Certbot
Install cerbot and his nginx extension
sudo apt install certbot python3-certbot-nginx
Certbot is now ready to use, but in order to enable it to automatically configure SSL for Nginx, we need to verify some Nginx configurations.
Verify Nginx configuration
This server block file is configured in the nginx configuration actual combat entry , the name is example.com, and the path is /etc/nginx/sites-available
sudo nano /etc/nginx/sites-available/example.com to view this file:
server {
listen 80;
listen [::]:80;
root /var/www/example.com/html;
index index.html index.htm index.nginx-debian.html;
server_name example.com www.example.com;
location / {
try_files $uri $uri/ =404;
}
}
I don't care about the entire configuration file here, only the server_name line.
...
server_name example.com www.example.com;
...
If this is the case, don't worry about it, if not, change it to this.
Test configuration:
sudo nginx -t
reload to make the configuration modification effective is:
sudo systemctl reload nginx
Allow HTTPS through the firewall
View the current firewall status:
sudo ufw status
should now allow http, but no https
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx HTTP ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx HTTP (v6) ALLOW Anywhere (v6)
Execute the following command, add https, and remove the redundant http (full included).
sudo ufw allow'Nginx Full'
sudo ufw delete allow'Nginx HTTP'
and then check the status (sudo ufw status) should be:
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Nginx Full ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Nginx Full (v6) ALLOW Anywhere (v6)
Obtain an SSL certificate
Certbot provides a variety of plug-in methods to obtain SSL certificates. The Nginx plugin will be responsible for reconfiguring Nginx and reloading the configuration if necessary. To use this plugin, type the following:
sudo certbot --nginx -d example.com -d www.example.com
Here we use the --nginx plugin to run certbot, and use -d to specify the domain name for which we want the certificate to be valid.
If this is the first time certbot has been run, the system will prompt for an email address and agree to the terms of service. After this is done, certbot will communicate with the Let's Encrypt server and then challenge to verify whether you control the domain for which you want to request a certificate.
If successful, certbot will ask how to configure HTTPS settings.
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
Choose 1, 2, or c, I choose 2, and then press Enter. The configuration will be updated, and Nginx will reload to get the new settings. certbot will end with a message telling that the process has been successfully completed and telling where the certificate is stored:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.com/privkey.pem
Your cert will expire on 2020-08-18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
The certificate has been downloaded, installed and loaded. Try to use https:// reload your website and pay attention to the security indicator of the browser. It should indicate that the site is properly secured, usually with a lock icon. If you use the SSL Labs server test to test the server, it will get A grade.
Verify Certbot Auto-Renewal
The encryption certificate is only valid for ninety days. This is to encourage users to automate their certificate renewal process. The installed certbot package solves this problem by adding a systemd timer, which runs twice a day and automatically renews any certificates within thirty days after expiration.
You can use systemctl to query the status of the timer:
sudo systemctl status certbot.timer
To test the renewal process, you can use certbot for a trial run:
sudo certbot renew --dry-run
If you don’t see any errors, then everything is ready. When necessary, Certbot will renew the certificate and reload Nginx to pick up the changes. If the automatic renewal process fails, Let's Encrypt will send a message to the specified email to warn you when the certificate is about to expire.
The introduction is complete