Debian11上安装Nginx并配置HTTPS

reference-site-list

• 如何在Debian 10 Linux上安装Nginx
• GitHub acme
• 使用 acme.sh 给 Nginx 安装 Let’ s Encrypt 提供的免费 SSL 证书
• nginx 配置 acme.sh
• HTTPS quick-start
• 一个比 Nginx 功能更强大的 Web 服务器
• 使用 acme.sh 部署 Let’s Encrypt 通过阿里云 DNS 验证方式实现泛域名 HTTPS
• 使用acme申请aliyun平台的AccessKey，申请免费泛域名证书
• PHP官网：使用 PHP-FPM 为 Nginx 1.4.x HTTP 服务器安装和配置 PHP 的说明和提示

steps

安装Nginx

apt-get update

apt-get install nginx

systemctl enable nginx

使用acme进行HTTPS配置

1. 向阿里云获取AccessKey

阿里云获取AccessKey

2. 使用acme申请证书

cd /etc/nginx
mkdir cert.d
cd cert.d
mkdir xplorist.tech

cd /data

curl https://get.acme.sh | sh

vi ~/.bashrc
# 在.bashrc 里添加
## 编辑.bashrc开始
export Ali_Key="AccessKeyId"
export Ali_Secret="AccessKeySecret"
## 编辑.bashrc结束

source ~/.bashrc 

acme.sh --issue --dns dns_ali -d xplorist.tech -d *.xplorist.tech --server  letsencrypt

# 查看计划表
crontab -l

# 分配给 nginx
acme.sh --issue --dns dns_ali -d xplorist.tech -d *.xplorist.tech \
--server  letsencrypt \
--installcert \
--key-file /etc/nginx/cert.d/xplorist.tech/key.pem \
--fullchain-file /etc/nginx/cert.d/xplorist.tech/full.pem \
--reloadcmd "nginx -s reload"

配置Nginx

vi /etc/nginx/nginx.conf

## nginx.conf开始

# 注释掉下行
#include /etc/nginx/sites-enabled/*;

## nginx.conf结束

vi /etc/nginx/conf.d/xplorist.tech.conf

# 新增xplorist.tech.conf
## xplorist.tech.conf编辑开始
# /etc/nginx/conf.d/xplorist.tech.conf
server {
    listen       80;
    server_name  xplorist.tech;
    client_max_body_size 1024m;

    #80跳转到443
    rewrite ^(.*)$ https://${server_name}$1 permanent;

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

server {
    listen 443 ssl http2;
    server_name  xplorist.tech;
    client_max_body_size 1024m;

    ssl_certificate          /etc/nginx/cert.d/xplorist.tech/full.pem;
    ssl_certificate_key      /etc/nginx/cert.d/xplorist.tech/key.pem;

    ssl_session_timeout  5m;

    #开启HSTS
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
    #适时移除TLSv1.2
    ssl_protocols TLSv1.3 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm index.php;
    }

    location ~ \.php$ {
        root /usr/share/nginx/html;
        include snippets/fastcgi-php.conf;
        fastcgi_pass unix:/run/php/php7.3-fpm.sock;
    }
}
## xplorist.tech.conf编辑结束