OpenResty 安装并申请https证书

WEBNginx , 评论

安装Openresty

  1. 下载地址
1
2
wget https://openresty.org/download/openresty-1.19.9.1.tar.gz
tar -zvxf openresty-1.19.9.1.tar.gz
  1. 下载依赖
1
yum install pcre-devel openssl-devel gcc curl
  1. 编译安装
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 ./configure --prefix=/opt/openresty \
    --user=nginx \
    --group=nginx \
    --with-luajit \
    --with-threads \
    --with-file-aio \
    --with-pcre \
    --with-pcre-jit \
    --with-http_v2_module \
    --with-http_ssl_module \
    --with-http_realip_module \
    --with-http_gunzip_module \
    --with-http_gzip_static_module \
    --with-http_secure_link_module \
    --with-http_degradation_module \
    --with-http_iconv_module \
    --with-http_stub_status_module \
    --without-lua_resty_memcached \
    --without-http_memcached_module \
    --with-http_postgres_module \
    --with-mail \
    --with-stream 
gmake && gmake install
  1. 注册服务
1
vim /etc/systemd/system/nginx.service
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
[Unit]
Description=Nginx(OpenResty ) - high performance web server
After=network-online.target remote-fs.target nss-lookup.target
Wants=network-online.target

[Service]
User=root
Group=root
Type=forking
PIDFile=/opt/openresty/nginx/logs/nginx.pid
ExecStartPre=/opt/openresty/nginx/sbin/nginx -t -c /opt/openresty/nginx/conf/nginx.conf
ExecStart=/opt/openresty/nginx/sbin/nginx -c /opt/openresty/nginx/conf/nginx.conf
ExecReload=/bin/kill -s HUP \$MAINPID
ExecStop=/bin/kill -s TERM \$MAINPID
LimitNOFILE=65535

[Install]
WantedBy=multi-user.target
1
2
3
systemctl daemon-reload           # 重新加载
systemctl restart nginx.service   # 重启服务
systemctl status nginx.service   # 查看服务状态

使用acme申请证书

  1. 安装
1
2
3
4
curl https://get.acme.sh | sh
alias acme.sh=~/.acme.sh/acme.sh
# 升级一下
acme.sh --upgrade
  1. 使用DNS验证申请泛域名

可能会失败,DNS的厂商无法很快的解析地址,重新申请就好了

1
2
3
export DP_Id=""
export DP_Key=""
acme.sh --issue --dns dns_dp -d ifan.host -d *.ifan.host
  1. 安装证书
1
2
3
4
acme.sh --install-cert -d ifan.host -d *.ifan.host \
    --key-file       /opt/openresty/nginx/cert/ifan/ifan.host.key  \
    --fullchain-file /opt/openresty/nginx/cert/ifan/fullchain.cer \
    --reloadcmd     "service nginx force-reload"
  1. acme给当前用户添加了一个定时任务,定时更新证书
1
crontab -l

使用证书

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

server {
    listen 80;
    listen 443 ssl http2;
    server_name ifan.host blog.ifan.host;
    index index.php index.html index.htm;
    root html/blog;
    ssl_certificate        /opt/openresty/nginx/cert/ifan/fullchain.cer;
    ssl_certificate_key    /opt/openresty/nginx/cert/ifan/ifan.host.key;
    ssl_protocols TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    access_log  /var/log/openresty/blog.access.log;
    error_log  /var/log/openresty/blog.error.log;
}

iFan在路上啊

个人简介。