LoginSignup
0
0

More than 3 years have passed since last update.

@kaiyu_tech(海悠 kaiyu)

VPSを借りる [HTTPS] #2

Last updated at Posted at 2020-10-03

HTTPS

※Secure Nginx with Let's Encrypt on CentOS 8

DOMAIN=yourdomain
MAIL=yourmail

sudo mkdir -p /var/lib/letsencrypt/.well-known
sudo chgrp nginx /var/lib/letsencrypt
sudo chmod g+s /var/lib/letsencrypt
sudo mkdir /etc/nginx/snippets

sudo tee /etc/nginx/snippets/letsencrypt.conf << EOF
location ^~ /.well-known/acme-challenge/ {
  allow all;
  root /var/lib/letsencrypt/;
  default_type "text/plain";
  try_files \$uri =404;
}
EOF

sudo tee /etc/nginx/conf.d/$DOMAIN.conf << EOF
server {
    listen 80;
    listen [::]:80;

    root /var/www/$DOMAIN/public_html;

    index index.html;

    server_name $DOMAIN www.$DOMAIN;

    include snippets/letsencrypt.conf;

    access_log /var/log/nginx/$DOMAIN.access.log;
    error_log /var/log/nginx/$DOMAIN.error.log;

    location / {
        try_files \$uri \$uri/ =404;
    }
}
EOF

sudo systemctl reload nginx
sudo curl -o /usr/local/bin/certbot-auto https://dl.eff.org/certbot-auto
sudo chmod +x /usr/local/bin/certbot-auto
certbot-auto certonly --agree-tos --email $MAIL --webroot -w /var/lib/letsencrypt/ -d $DOMAIN -d www.$DOMAIN
sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

sudo tee /etc/nginx/snippets/ssl.conf << EOF
ssl_dhparam /etc/ssl/certs/dhparam.pem;

ssl_session_timeout 1d;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;

ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 30s;

add_header Strict-Transport-Security "max-age=63072000" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
EOF

sudo tee /etc/nginx/conf.d/$DOMAIN.conf << EOF
server {
    listen 80;
    listen [::]:80;

    server_name www.$DOMAIN $DOMAIN;

    include snippets/letsencrypt.conf;

    location / {
        return 301 https://\$host\$request_uri;
    }
}

server {
    listen 443 ssl http2;

    server_name www.$DOMAIN $DOMAIN;

    ssl_certificate /etc/letsencrypt/live/$DOMAIN/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/$DOMAIN/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/$DOMAIN/chain.pem;

    include snippets/ssl.conf;

    root /var/www/$DOMAIN/public_html;

    index index.html;

    access_log /var/log/nginx/$DOMAIN.access.log;
    error_log /var/log/nginx/$DOMAIN.error.log;

    location / {
        try_files \$uri \$uri/ =404;
    }
}
EOF

sudo nginx -t

sudo systemctl reload nginx

crontab -l > /tmp/crontab.tmp
echo -e "0 */12 * * * root test -x /usr/local/bin/certbot-auto -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && /usr/local/bin/certbot-auto -q renew --renew-hook \"systemctl reload nginx\"\n" >> /tmp/crontab.tmp

sudo crontab -u root /tmp/crontab.tmp

rm -f /tmp/crontab.tmp

certbot-auto renew --dry-run

SSL Test @Qualys
image.png
VPSを借りる [VPS、SSH、Nginx] #1

0
0
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
0
0