如何让我们在Ubuntu 20.04上加密来保护Nginx

介绍 (Introduction)

Let’s Encrypt is a Certificate Authority (CA) that provides an easy way to obtain and install free TLS/SSL certificates, thereby enabling encrypted HTTPS on web servers. It simplifies the process by providing a software client, Certbot, that attempts to automate most (if not all) of the required steps. Currently, the entire process of obtaining and installing a certificate is fully automated on both Apache and Nginx.

让我们加密是一个证书颁发机构(CA)，它提供了一种获取和安装免费TLS / SSL证书的简便方法，从而可以在Web服务器上启用加密的HTTPS。它通过提供一个软件客户端Certbot来简化该过程，该客户端尝试使大多数(如果不是全部)所需步骤自动化。当前，在Apache和Nginx上，获取和安装证书的整个过程都是完全自动化的。

In this tutorial, you will use Certbot to obtain a free SSL certificate for Nginx on Ubuntu 20.04 and set up your certificate to renew automatically.

在本教程中，您将使用Certbot在Ubuntu 20.04上获取Nginx的免费SSL证书，并将证书设置为自动更新。

This tutorial will use a separate Nginx server configuration file instead of the default file. We recommend creating new Nginx server block files for each domain because it helps to avoid common mistakes and maintains the default files as a fallback configuration.

本教程将使用单独的Nginx服务器配置文件而不是默认文件。我们建议为每个域创建新的Nginx服务器阻止文件，因为它有助于避免常见错误，并将默认文件保留为后备配置。

先决条件 (Prerequisites)

To follow this tutorial, you will need:

要遵循本教程，您将需要：

One Ubuntu 20.04 server set up by following this initial server setup for Ubuntu 20.04 tutorial, including a sudo-enabled non-root user and a firewall.
通过遵循针对Ubuntu 20.04教程的初始服务器设置来设置一台Ubuntu 20.04服务器，其中包括启用sudo的非root用户和防火墙。
A registered domain name. This tutorial will use example.com throughout. You can purchase a domain name from Namecheap, get one for free with Freenom, or use the domain registrar of your choice.
注册域名。本教程将始终使用example.com 。你可以购买一个域名Namecheap ，免费获得一个与Freenom ，或使用你选择的域名注册商。
Both of the following DNS records set up for your server. If you are using DigitalOcean, please see our DNS documentation for details on how to add them.

为服务器设置了以下两个DNS记录。如果您使用的是DigitalOcean，请参阅我们的DNS文档以获取有关如何添加它们的详细信息。
- An A record with example.com pointing to your server’s public IP address.
  包含example.com的A记录，指向您服务器的公共IP地址。
- An A record with www.example.com pointing to your server’s public IP address.
  与www. example.com的A记录www. example.com www. example.com指向您服务器的公共IP地址。
Nginx installed by following How To Install Nginx on Ubuntu 20.04. Be sure that you have a server block for your domain. This tutorial will use /etc/nginx/sites-available/example.com as an example.
通过遵循如何在Ubuntu 20.04上安装Nginx来安装Nginx 。确保您的域有一个服务器块。本教程将以/etc/nginx/sites-available/ example.com为例。

第1步-安装Certbot (Step 1 — Installing Certbot)

The first step to using Let’s Encrypt to obtain an SSL certificate is to install the Certbot software on your server.

使用“让我们加密”获取SSL证书的第一步是在您的服务器上安装Certbot软件。

Install Certbot and it’s Nginx plugin with apt:

使用apt安装Certbot及其Nginx插件：

sudo apt install certbot python3-certbot-nginx
sudo apt安装certbot python3-certbot-nginx

Certbot is now ready to use, but in order for it to automatically configure SSL for Nginx, we need to verify some of Nginx’s configuration.

Certbot现在可以使用了，但是为了使其能够为Nginx自动配置SSL，我们需要验证Nginx的一些配置。

步骤2 —确认Nginx的配置 (Step 2 — Confirming Nginx’s Configuration)

Certbot needs to be able to find the correct server block in your Nginx configuration for it to be able to automatically configure SSL. Specifically, it does this by looking for a server_name directive that matches the domain you request a certificate for.

Certbot需要能够在Nginx配置中找到正确的server块，才能自动配置SSL。具体来说，它是通过查找与您请求证书的域相匹配的server_name指令来实现的。

If you followed the server block set up step in the Nginx installation tutorial, you should have a server block for your domain at /etc/nginx/sites-available/example.com with the server_name directive already set appropriately.

如果遵循Nginx安装教程中的服务器块设置步骤，则应该在/etc/nginx/sites-available/ example.com上为您的域设置一个服务器块，并且已经正确设置了server_name指令。

To check, open the configuration file for your domain using nano or your favorite text editor:

要进行检查，请使用nano或您喜欢的文本编辑器打开您域的配置文件：

sudo nano /etc/nginx/sites-available/example.com
须藤纳米/ etc / nginx / sites-available / example.com

Find the existing server_name line. It should look like this:

找到现有的server_name行。它看起来应该像这样：

/etc/nginx/sites-available/example.com

...
server_name example.com www.example.com;
...

If it does, exit your editor and move on to the next step.

如果是这样，请退出编辑器，然后继续下一步。

If it doesn’t, update it to match. Then save the file, quit your editor, and verify the syntax of your configuration edits:

如果不是，请对其进行更新以匹配。然后保存文件，退出编辑器，并验证配置编辑的语法：

sudo nginx -t
须藤Nginx -t

If you get an error, reopen the server block file and check for any typos or missing characters. Once your configuration file’s syntax is correct, reload Nginx to load the new configuration:

如果出现错误，请重新打开服务器阻止文件并检查是否有错字或字符丢失。配置文件的语法正确后，请重新加载Nginx以加载新配置：

sudo systemctl reload nginx
须藤systemctl重新加载nginx

Certbot can now find the correct server block and update it automatically.

Certbot现在可以找到正确的server块并自动更新。

Next, let’s update the firewall to allow HTTPS traffic.

接下来，让我们更新防火墙以允许HTTPS通信。

步骤3 —允许HTTPS通过防火墙 (Step 3 — Allowing HTTPS Through the Firewall)

If you have the ufw firewall enabled, as recommended by the prerequisite guides, you’ll need to adjust the settings to allow for HTTPS traffic. Luckily, Nginx registers a few profiles with ufw upon installation.

如果按照先决条件指南的建议启用了ufw防火墙，则需要调整设置以允许HTTPS通信。幸运的是，Nginx在安装时向ufw注册了一些配置文件。

You can see the current setting by typing:

您可以通过键入以下内容查看当前设置：

sudo ufw status
sudo ufw状态

It will probably look like this, meaning that only HTTP traffic is allowed to the web server:

它可能看起来像这样，这意味着仅HTTP流量被允许到Web服务器：


   
    Output
   Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
Nginx HTTP                 ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
Nginx HTTP (v6)            ALLOW       Anywhere (v6)

To additionally let in HTTPS traffic, allow the Nginx Full profile and delete the redundant Nginx HTTP profile allowance:

要另外允许HTTPS通信，请允许Nginx Full配置文件并删除冗余的Nginx HTTP配置文件配额：

sudo ufw allow 'Nginx Full'
sudo ufw允许'Nginx Full'
sudo ufw delete allow 'Nginx HTTP'
sudo ufw delete allow'Nginx HTTP'

Your status should now look like this:

您的状态现在应如下所示：

sudo ufw status
sudo ufw状态


   
    Output
   Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere
Nginx Full                 ALLOW       Anywhere
OpenSSH (v6)               ALLOW       Anywhere (v6)
Nginx Full (v6)            ALLOW       Anywhere (v6)

Next, let’s run Certbot and fetch our certificates.

接下来，让我们运行Certbot并获取我们的证书。

步骤4 —获取SSL证书 (Step 4 — Obtaining an SSL Certificate)

Certbot provides a variety of ways to obtain SSL certificates through plugins. The Nginx plugin will take care of reconfiguring Nginx and reloading the config whenever necessary. To use this plugin, type the following:

Certbot提供了多种通过插件获取SSL证书的方法。 Nginx插件将负责重新配置Nginx并在必要时重新加载配置。要使用此插件，请键入以下内容：

sudo certbot --nginx -d example.com -d www.example.com
sudo certbot --nginx -d example.com -d www.example.com

This runs certbot with the --nginx plugin, using -d to specify the domain names we’d like the certificate to be valid for.

这将使用--nginx插件运行certbot ，并使用-d指定我们希望证书对其有效的域名。

If this is your first time running certbot, you will be prompted to enter an email address and agree to the terms of service. After doing so, certbot will communicate with the Let’s Encrypt server, then run a challenge to verify that you control the domain you’re requesting a certificate for.

如果这是您首次运行certbot ，则系统将提示您输入电子邮件地址并同意服务条款。完成此操作后， certbot将与Let's Encrypt服务器通信，然后进行质询以验证您是否控制了要为其申请证书的域。

If that’s successful, certbot will ask how you’d like to configure your HTTPS settings.

如果成功， certbot将询问您如何配置HTTPS设置。


   
    Output
   Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):

Select your choice then hit ENTER. The configuration will be updated, and Nginx will reload to pick up the new settings. certbot will wrap up with a message telling you the process was successful and where your certificates are stored:

选择您的选择，然后按ENTER 。配置将被更新，并且Nginx将重新加载以获取新设置。 certbot将以一条消息结束，告诉您该过程已成功完成，并且证书的存储位置：


   
    Output
   IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/example.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/example.com/privkey.pem
   Your cert will expire on 2020-08-18. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Your certificates are downloaded, installed, and loaded. Try reloading your website using https:// and notice your browser’s security indicator. It should indicate that the site is properly secured, usually with a lock icon. If you test your server using the SSL Labs Server Test, it will get an A grade.

您的证书已下载，安装和加载。尝试使用https://重新加载您的网站，并注意浏览器的安全指示器。它应表明该站点已正确保护，通常带有一个锁定图标。如果使用SSL Labs服务器测试来测试服务器，它将获得A级。

Let’s finish by testing the renewal process.

让我们通过测试续订过程来结束。

步骤5 —验证Certbot自动续订 (Step 5 — Verifying Certbot Auto-Renewal)

Let’s Encrypt’s certificates are only valid for ninety days. This is to encourage users to automate their certificate renewal process. The certbot package we installed takes care of this for us by adding a systemd timer that will run twice a day and automatically renew any certificate that’s within thirty days of expiration.

让我们加密的证书仅有效九十天。这是为了鼓励用户自动化其证书续订过程。我们安装的certbot软件包通过添加systemd计时器来为我们解决此问题，该计时器每天运行两次，并在到期后30天之内自动续订任何证书。

You can query the status of the timer with systemctl:

您可以使用systemctl查询计时器的状态：

sudo systemctl status certbot.timer
sudo systemctl状态certbot.timer


   
    Output
   ● certbot.timer - Run certbot twice daily
     Loaded: loaded (/lib/systemd/system/certbot.timer; enabled; vendor preset: enabled)
     Active: active (waiting) since Mon 2020-05-04 20:04:36 UTC; 2 weeks 1 days ago
    Trigger: Thu 2020-05-21 05:22:32 UTC; 9h left
   Triggers: ● certbot.service

To test the renewal process, you can do a dry run with certbot:

要测试续订过程，可以使用certbot运行：

sudo certbot renew --dry-run
sudo certbot更新-干运行

If you see no errors, you’re all set. When necessary, Certbot will renew your certificates and reload Nginx to pick up the changes. If the automated renewal process ever fails, Let’s Encrypt will send a message to the email you specified, warning you when your certificate is about to expire.

如果您没有看到任何错误，则说明一切就绪。必要时，Certbot将续订您的证书并重新加载Nginx以获取更改。如果自动续订过程失败，Let's Encrypt将向您指定的电子邮件发送一条消息，在证书即将过期时警告您。

结论 (Conclusion)

In this tutorial, you installed the Let’s Encrypt client certbot, downloaded SSL certificates for your domain, configured Nginx to use these certificates, and set up automatic certificate renewal. If you have further questions about using Certbot, the official documentation is a good place to start.

在本教程中，您安装了Let's Encrypt客户端certbot ，为您的域下载了SSL证书，将Nginx配置为使用这些证书，并设置了自动续订证书。如果您对使用Certbot有其他疑问，可以从官方文档开始。

翻译自: https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-20-04