快速搭建 Nginx + https + wordpress + Let’s Encrypt永久免费SSL证书

Posted on by

首先准备一台Google cloud server, CentOS 6.1

安装必要软件

sudo yum -y install nginx php php-mysql mysql mysql-server git php-fpm php-xml php-mbstring

启动相关软件

sudo chkconfig mysqld on
sudo service mysqld start
sudo chkconfig nginx on
sudo service nginx start
sudo service php-fpm start
sudo chkconfig php-fpm on

此时在浏览器输入 该服务器IP确保已经可以正常访问

设置mysql数据库

sudo mysql_secure_installation

1. Enter current password for root (enter for none): // 直接按 Enter,因為預設沒密碼
2. Set root password? [Y/n] //輸入 Y 來設定密碼
3. New password: // 輸入 root 新密碼
4. Re-enter new password: // 再一次輸入 root 新密碼
5. Remove anonymous users? [Y/n] //預設 Yes ,直接按 Enter
6. Disallow root login remotely? [Y/n] //預設 Yes ,直接按 Enter
7. Remove test database and access to it? [Y/n] //預設 Yes ,直接按 Enter
8. Reload privilege tables now? [Y/n] //預設 Yes ,直接按 Enter
接著利用剛剛設定的 root 密碼登入 MySQL,執行「sudo mysql -u root -p」,密碼正確就會進入「mysql>」這樣的提示符號。「參考」
9. 创建一个数据库给wordpress使用

create database wordpress;

mysql设置完毕。

为自己的网站申请Let’s Encrypt永久免费SSL证书
需要用到python 2.7,所以先安装python

#安装python所需的包
yum groupinstall -y "Development tools" 
yum install zlib-devel bzip2-devel openssl-devel ncurses-devel sqlite-devel

#获取到Python

# wget https://www.python.org/ftp/python/2.7.12/Python-2.7.12.tgz
# tar xf Python-2.7.12.tgz
# cd Python-2.7.12
# ./configure –prefix=/usr/local/python27
# make
# make install

#建立链接

ln -s /usr/local/python27/bin/python2.7 /usr/local/bin/python
#解决系统 Python 软链接指向 Python2.7 版本后,yum不能使用的问题,因为yum是不兼容 Python 2.7的,所需要指定 yum 的Python版本
# vim /usr/bin/yum 
将头部的 #!/usr/bin/python 改成 #!/usr/bin/python2.6

#获取Let’s Encrypt免费SSL证书

git clone https://github.com/letsencrypt/letsencrypt

#进入letsencrypt目录

cd letsencrypt

#生成证书

./letsencrypt-auto certonly --standalone --email x@sample.com -d sample.com -d www.sample.com

在完成Let’s Encrypt证书的生成之后,我们会在”/etc/letsencrypt/live/sample.com/”域名目录下有4个文件就是生成的密钥证书文件。

cert.pem – Apache服务器端证书
chain.pem – Apache根证书和中继证书
fullchain.pem – Nginx所需要ssl_certificate文件
privkey.pem – 安全证书KEY文件

如果我们使用的Nginx环境,那就需要用到fullchain.pem和privkey.pem两个证书文件,在部署Nginx的时候需要用到。在Nginx环境中,只要将对应的ssl_certificate和ssl_certificate_key路径设置成我们生成的2个文件就可以。

#打开linux配置文件,找到HTTPS 443端口配置的server

ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;

Let’s Encrypt证书是有效期90天的,需要我们自己手工更新续期才可以。
命令如下:

./letsencrypt-auto certonly --renew-by-default --email x@sample.com -d sample.com -d www.sample.com

这样我们在90天内再去执行一次就可以解决续期问题,这样又可以继续使用90天。如果我们怕忘记的话也可以利用linux crontab定时执行更新任务

现在我们修改nginx文件,让网站跑起来

sudo vim /etc/nginx/conf.d/ssl.conf

文件如下

# HTTPS server configuration
#
server {
    listen       443 ssl http2 default_server;
    listen       [::]:443 ssl;
    server_name  sample.com;
    root         /var/www/html/sample.com/wordpress;
    ssl_certificate /etc/letsencrypt/live/sample.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/sample.com/privkey.pem;
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  10m;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
    location / {
            index index.php index.html index.htm;
            try_files $uri $uri/ /index.php?$args;
    }
    error_page 404 /404.html;
        location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
    }
}

再把80端口的所有链接跳转到443,我们编辑

sudo vim /etc/nginx/conf.d/default.conf

文件如下

# The default server
#
server {
    listen       80 default_server;
    listen       [::]:80 default_server;
    server_name  sample.com;
#    root         /var/www/html/testing;
    rewrite ^(.*)$      https://$host$1 permanent;
    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;
    location / {
            index index.php index.html index.htm;
    }
    error_page 404 /404.html;
        location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
        location ~ \.php$ {
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
            include        fastcgi_params;
    }
}

这样我们的网站就完全抛在SSL的模式下了,wordpress 安装就按部就班了。

在wordpress上传附件或者其他文件时,如果遇到错误提示,可以修改

sudo vim /etc/nginx/nginx.conf
增加 client_max_body_size 10M;

文件如下

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
    access_log  /var/log/nginx/access.log  main;
    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;
    client_max_body_size 10M;
    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;
    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
}