HTTPS
超文本傳輸安全協議(英語:Hypertext Transfer Protocol Secure,縮寫:HTTPS,常稱爲HTTP over TLS,HTTP over SSL或HTTP Secure)是一種透過計算器網上進行安全通信的傳輸協議。HTTPS經由HTTP進行通信,但利用SSL/TLS來加密數據包。HTTPS開發的主要目的,是提供對網站服務器的身份認證,保護交換數據的隱私與完整性。這個協議由網景公司(Netscape)在1994年首次提出,隨後擴展到互聯網上。—— 超文本傳輸安全協議 from WIKI
爲什麼要開啓HTTPS?
1、SEO
2、安全性
開啓免費HTTPS服務
我們今天介紹的免費簽名平臺是Let's Encrypt,安裝過程以CentOS 7 + Nginx爲例,如果你使用了其他系統或其他服務類型可前往Certbot查看相應部署方法。
安裝
提示:如果你在使用RHEL on EC2,你可以運行以下代碼來開啓選項通道(optional channel):
$ yum -y install yum-utils $ yum-config-manager --enable rhui-REGION-rhel-server-extras rhui-REGION-rhel-> server-optional
開啓選項通道後運行下面代碼安裝Certbot:
$ sudo yum install python2-certbot-nginx
開始使用
給Certbot安裝Nginx插件:
$ sudo certbot --nginx運行這個命令會自動爲你獲取證書,並且Certbot會自動配置你的Nginx以提供服務。如果你想要手動修改Nginx配置可以使用certonly子命令:
$ sudo certbot --nginx certonly自動配置說明
執行自動配置命令後命令行輸出下文:
# sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): [ [email protected] ]提示你輸入接收緊急更新和安全提示的郵箱,
輸入郵箱鍵入回車進入下一步(輸入'c'並回車放棄設置該郵箱)。
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(A)gree/(C)ancel: 要求閱讀協議,輸入A同意該協議並繼續。
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: 詢問郵箱是否接受廣告,輸入N拒絕並繼續。
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): 輸入你的域名(例如:example.me)並繼續。
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.me
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 選擇是否將http請求重定向至https,輸入1不改變當前服務器配置(不重定向),輸入2將自動配置所有http請求的重定向。
既然我們要開啓https服務就輸入2並繼續。
Redirecting all traffic on port 80 to ssl in /etc/nginx/nginx.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://example.me
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.me
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/example.me/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/example.me/privkey.pem
Your cert will expire on 2019-02-12. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
出現以上提示就說明配置成功啦,趕快去訪問一下試試吧。