分類彙整: 架站

使用 Let’s Encrypt 及 Certbot 在 Debian 上的 Nginx 啟用 HTTPS

本篇文章所搭配環境為 Debian 9 + Nginx 並使用架構在 Let’s Encrypt 上的 Certbot 來啟用 HTTPS 。

 

找出各網域所對應的根目錄

先去 /etc/nginx/sites-enabled/default 這個檔案記錄下各子網域所對應的根目錄
例如我的像是這樣
dreambreakerx.com /usr/share/nginx/www
api.dreambreakerx.com /usr/share/nginx/api
blog.dreambreakerx.com /usr/share/nginx/blog

 

安裝 Certbot

apt-get install python-certbot-nginx -t stretch-backports

如果無錯誤請直接跳到設定 Certbot 那個步驟,若是出現
E: The value 'stretch-backports' is invalid for APT::Default-Release as such a release is not available in the sources
請按照 https://backports.debian.org/Instructions/
編輯 /etc/apt/sources.list 這個檔案新增這行
deb http://ftp.debian.org/debian stretch-backports main

pico /etc/apt/sources.list
apt-get update
apt-get install python-certbot-nginx -t stretch-backports

 

設定 Certbot

certbot --authenticator webroot --installer nginx

各項設定請參考下面,需要注意的是我輸入一個空格字元選擇所有的網域,以及最後我設定強制使用 https

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): example@gmail.com

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: Y

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: dreambreakerx.com
2: api.dreambreakerx.com
3: blog.dreambreakerx.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):

Input the webroot for dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/www

Select the webroot for api.dreambreakerx.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /usr/share/nginx/www
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Input the webroot for api.dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/api

Select the webroot for blog.dreambreakerx.com:
-------------------------------------------------------------------------------
1: Enter a new webroot
2: /usr/share/nginx/api
3: /usr/share/nginx/www
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Input the webroot for blog.dreambreakerx.com: (Enter 'c' to cancel): /usr/share/nginx/blog

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2

接著可以試試新網址,也試試舊網址有沒有轉址到 https

 

自動更新證書

更新時使用這句

certbot renew --dry-run

也可以加入 Cron Job ,讓它每個星期一早上3點30分自動執行

crontab -e
30 3 * * 1 certbot renew --dry-run

 

安裝 APC (Alternative PHP Cache)

apt-get install php-pear php5-dev libpcre3-dev make
pear upgrade
pecl install apc

apc安裝時會問一些問題,我都按照它預設的回答。

 

vi /etc/php5/conf.d/apc.ini

新增 apc.ini

[apc]
extension=apc.so
; enable APC
apc.enabled=1
; The number of shared memory segments
apc.shm_segments=1
; The size of each shared memory segment
apc.shm_size=64M
; The number of seconds a cache entry is allowed to idle in a slot in case this
; cache entry slot is needed by another entry.
apc.ttl=7200

 

重新啟動載入新設定

service php5-fpm restart

 

寫個php來看看APC有沒有安裝成功

<?php
	phpinfo();
?>

有出現apc就代表成功了,詳細設定還沒研究。