Nginx method for configuring multiple HTTPS domain names

I've been playing wechat applet recently. I have:

One ECS: CentOS 7
Multiple primary domain names
During the development and testing process, for some reasons, you want to make the domain names A and B point to port 443 of the ECS at the same time and support HTTPS.

Nginx supports SNI extension of TLS protocol (multiple domain names with different certificates can be supported on the same IP). Just reinstall nginx to support TLS.

Install Nginx

[root]# wget http://nginx.org/download/nginx-1.12.0.tar.gz
[root]# tar zxvf nginx-1.12.0.tar.gz
[root]# cd nginx-1.12.0
[root]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \
--with-openssl=./openssl-1.0.1e \
--with-openssl-opt="enable-tlsext"

Note: during installation, it is found that some libraries are missing in the ECS environment. After downloading, execute Nginx again/ configure command. The specific operations are as follows:

[root]# wget https://nchc.dl.sourceforge.net/project/pcre/pcre/8.35/pcre-8.35.tar.gz
[root]# tar zxvf pcre-8.35
[root]# yum -y install gcc
[root]# yum -y install gcc-c++
[root]# yum install -y zlib-devel

[root]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module \
--with-openssl=./openssl-1.0.1e \
--with-openssl-opt="enable-tlsext" \
--with-pcre=./pcre-8.35

Configure Nginx

When purchasing a domain name, if the domain name provider has a free SSL certificate, it can be used directly; If not, you can use Let's encrypt to generate a free CA certificate.

Open the configuration of Nginx: VI / etc / Nginx / Nginx conf

  ...
  server {
    listen    443 ssl;
    listen    [::]:443 ssl;
    server_name abc.com;
    root     /usr/share/nginx/html;

    ssl_certificate "/root/keys/abc.com.pem";
    ssl_certificate_key "/root/keys/abc.com.private.pem";
    include /etc/nginx/default.d/*.conf;

    location / {
    }
    error_page 404 /404.html;
      location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
      location = /50x.html {
    }
  }

  server {
    listen    443 ssl;
    listen    [::]:443 ssl;
    server_name def.com;
    root     /usr/share/nginx/html;

    ssl_certificate "/root/keys/def.com.pem";
    ssl_certificate_key "/root/keys/def.com.private.pem";
    include /etc/nginx/default.d/*.conf;

    location / {
    }
    error_page 404 /404.html;
      location = /40x.html {
    }
    error_page 500 502 503 504 /50x.html;
      location = /50x.html {
    }
  }

After configuration, reload Ngixn: nginx -s reload

Apply for free CA certificate

If there is no SSL certificate, you can use the following method to obtain the CA certificate for free - Let's encrypt.

Step 1: install the official client of Let's Encrypt - CetBot

[root]# yum install -y epel-releasesudo 
[root]# yum install -y certbot

Step 2: configure the configuration file of Nginx and add the following configuration in the Server module (listening to port 80):

When CertBot verifies the server domain name, it will generate a random file, and then CertBot's server will access your file through HTTP. Therefore, make sure your Nginx is configured so that you can access this file.

server {
   listen    80 default_server;

   ...

  location ^~ /.well-known/acme-challenge/ {  
    default_type "text/plain";  
    root   /usr/share/nginx/html;
  }

  location = /.well-known/acme-challenge/ {  
    return 404;
  }
}

Step 3: apply for SSL certificate

[root]# certbot certonly --webroot -w /usr/share/nginx/html/ -d your.domain.com

During installation, you will be prompted to enter a mailbox for updating the CA certificate.

After successful installation, it will be in / etc / letsencrypt / Live / your.com by default domain. COM / will generate a CA certificate.

|-- fullchain.pem 
|-- privkey.pem

Step 4: configure Nginx

server {
  listen    443 ssl;
  listen    [::]:443 ssl;
  server_name def.com;
  root     /usr/share/nginx/html;

  ssl_certificate "/etc/letsencrypt/live/your.domain.com/fullchain.pem";
  ssl_certificate_key "/etc/letsencrypt/live/your.domain.com/privkey.pem";
  include /etc/nginx/default.d/*.conf;

  location / {
  }
  error_page 404 /404.html;
    location = /40x.html {
  }
  error_page 500 502 503 504 /50x.html;
    location = /50x.html {
  }
}

After configuration, reload Nginx

Step 5: automatically update the certificate

Simulate and update the certificate on the command line first

certbot renew --dry-run

If the simulation update is successful, use the crontab -e command to enable the automatic update task:

[root]# crontab -e
30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log

Tags: Python Nginx shell server https

Posted by the-botman on Tue, 24 May 2022 00:03:36 +0300

Hot Tags

Java Python Javascript Algorithm Front-end Linux C++ data structure Spring Back-end Spring Boot MySQL Database C Android Design Pattern Vue Vue.js Docker leetcode Go programming language Big Data Machine Learning Deep Learning Operation & Maintenance Redis Interview Programming AI Kubernetes html SQL C# css
©2023 Algorithm Zone