网站弃用http,改用https

现在主流的网站基本都已经弃用http协议,转用更为安全的https协议。之所以不再使用http,是因为HTTP协议以明文方式发送内容,不提供任何方式的数据加密,如果攻击者截取了Web浏览器和网站服务器之间的传输报文,就可以直接读懂其中的信息,因此HTTP协议不适合传输一些敏感信息,比如信用卡号、密码等。现在主流的一些浏览器会直接将http页面标记为不安全,就是为了推行https。

https就是在http的基础上使用SSL进行加密,使用的是非对称加密算法,SSL依靠证书来验证服务器的身份,并为浏览器和服务器之间的通信加密。所以使用https需要申请证书,有专门提供商用证书的机构,价格一年几百到几千人民币不等;个人网站的话,可以使用免费证书 https://letsencrypt.org/,本小博客就是使用它,操作部署如下:

  1. 下载letsencrypt工具
        git clone https://github.com/letsencrypt/letsencrypt
    
  2. 生成证书,注意执行此步骤的时候,服务器的80端口不能被占用,如果占用会失败
    ./letsencrypt-auto certonly --standalone --email youremail@XXX.com -d XXX.com -d www.XXX.com
    

执行结果如下:

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for yeetrack.com
    http-01 challenge for www.yeetrack.com
    Waiting for verification...
    Cleaning up challenges

    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/yeetrack.com/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/yeetrack.com/privkey.pem
       Your cert will expire on 2018-06-07. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run
       "certbot-auto renew"
     - If you like Certbot, please consider supporting our work by:
       Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
       Donating to EFF:                    https://eff.org/donate-le

3. 免费的证书有效期3个月,即将过期的时候可以续签,命令如下:

    certbot-auto renew

4. 证书申请好了,下一步,配置Apache或者nginx,这里使用的是nginx:

        #http请求转发到https
       server {
        listen 80;
        server_name www.yeetrack.com;
        return 301 https://$server_name$request_uri;
     }
     #下面是ssl的配置
     server {
        listen       443 ssl;
        server_name  www.yeetrack.com;

        ssl on;
        ssl_certificate      /etc/letsencrypt/live/yeetrack.com/fullchain.pem;
        ssl_certificate_key  /etc/letsencrypt/live/yeetrack.com/privkey.pem;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
 。。。

访问网站,尝试一下即可。如本站效果如下:

https://yeetrack.oss-cn-beijing.aliyuncs.com/2018-03/https_1.png

https://yeetrack.oss-cn-beijing.aliyuncs.com/2018-03/https_2.png

版权声明

本站文章、图片、视频等(除转载外),均采用知识共享署名 4.0 国际许可协议(CC BY-NC-SA 4.0),转载请注明出处、非商业性使用、并且以相同协议共享。

© 空空博客,本文链接:https://www.yeetrack.com/?p=1314