Nginx學習筆記（一）如何配置一個安全的HTTPS網站伺服器

wget https://dl.eff.org/certbot-auto
chmod a+x certbot-auto

sudo systemctl stop nginx.service

./certbot-auto certonly --standalone --email `你的郵箱地址` -d `你的域名地址`

sudo ./certbot-auto  certonly --standalone --email "yourEmail@qq.com" -d "www.tinywan.com" 
 -d "live.tinywan.com" -d "vod.tinywan.com" -d "livecdn.tinywan.com"
 -d "nginx-vod.tinywan.com" -d "hls-auth.tinywan.com" -d "hls.tinywan.com" -d "auth.tinywan.com"

apt-get purge python-virtualenv python3-virtualenv virtualenv
pip install virtualenv

Cleaning up challenges
Problem binding to port 443: Could not bind to IPv4 or IPv6.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.tinywan.com
tls-sni-01 challenge for live.tinywan.com
tls-sni-01 challenge for vod.tinywan.com
tls-sni-01 challenge for livecdn.tinywan.com
tls-sni-01 challenge for nginx-vod.tinywan.com
tls-sni-01 challenge for hls-auth.tinywan.com
tls-sni-01 challenge for hls.tinywan.com
tls-sni-01 challenge for auth.tinywan.com
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/www.tinywan.com-0001/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/www.tinywan.com-0001/privkey.pem
   Your cert will expire on 2018-02-22. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot-auto
   again. To non-interactively renew *all* of your certificates, run
   "certbot-auto renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let`s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

tree /etc/letsencrypt/live/

www@TinywanAliYun:~$ sudo tree /etc/letsencrypt/live/
/etc/letsencrypt/live/
└── www.tinywan.top
    ├── cert.pem -> ../../archive/www.tinywan.top/cert1.pem
    ├── chain.pem -> ../../archive/www.tinywan.top/chain1.pem
    ├── fullchain.pem -> ../../archive/www.tinywan.top/fullchain1.pem
    ├── privkey.pem -> ../../archive/www.tinywan.top/privkey1.pem
    └── README

1 directory, 5 files

sudo vim /usr/local/openresty/nginx/conf/nginx.conf

...
　　# 配置HTTP請求重定向
    server {
        listen       80;
        server_name  www.tinywan.top;
        rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
    }
    #  配置SSL證照
    server {
        listen       443 ssl;
　　　 　server_name  www.tinywan.top;

        ssl_certificate /etc/letsencrypt/live/www.tinywan.top/fullchain.pem; 
        ssl_certificate_key /etc/letsencrypt/live/www.tinywan.top//privkey.pem;

　　　　 #禁止在header中出現伺服器版本，防止黑客利用版本漏洞攻擊     
　　　　 server_tokens off;
set $root_path /home/www/web/golang;
        root $root_path;

        location / {
            if (!-e $request_filename) {
                rewrite  ^(.*)$  /index.php?s=/$1  last;
                break;
            }
        }
}
...

sudo systemctl restart nginx.service

# 每星期1的2點30分執行更新操作
 30 2 * * 1 /home/www/bin/certbot-auto renew  >>/home/www/bin/logs/encrypt_auto_update.log  2>&1

OSError: Command /opt/eff.org/certbot/venv/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2

File "/usr/local/lib/python2.7/dist-packages/virtualenv.py", line 945, in create_environment

user@webserver:~$ sudo fallocate -l 1G /tmp/swapfile
user@webserver:~$ sudo chmod 600 /tmp/swapfile
user@webserver:~$ sudo mkswap /tmp/swapfile
user@webserver:~$ sudo swapon /tmp/swapfile

user@webserver:~$ sudo swapoff /tmp/swapfile
user@webserver:~$ sudo rm /tmp/swapfile

Reading package lists... Done                     
Reading package lists... Done
Building dependency tree       
Reading state information... Done
augeas-lenses is already the newest version (1.4.0-0ubuntu1).
ca-certificates is already the newest version (20160104ubuntu1).
gcc is already the newest version (4:5.3.1-1ubuntu1).
libaugeas0 is already the newest version (1.4.0-0ubuntu1).
libffi-dev is already the newest version (3.2.1-4).
python is already the newest version (2.7.11-1).
python-dev is already the newest version (2.7.11-1).
libssl-dev is already the newest version (1.0.2g-1ubuntu4.5).
openssl is already the newest version (1.0.2g-1ubuntu4.5).
python-virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
virtualenv is already the newest version (15.0.1+ds-3ubuntu1).
0 upgraded, 0 newly installed, 0 to remove and 3 not upgraded.
Creating virtual environment...
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 2363, in <module>
    main()
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 719, in main
    symlink=options.symlink)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 988, in create_environment
    download=download,
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 918, in install_wheel
    call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT)
  File "/usr/lib/python3/dist-packages/virtualenv.py", line 812, in call_subprocess
    % (cmd_desc, proc.returncode))
OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 2