[Centos7] [Let ’s Encrypt] Until Nginx is inserted and SSL is enabled
Install Nginx with Centos7, issue a free certificate by Let ’s Encrypt and write up to apply.
The default document root for Nginx is ʻusr / share / nginx / html / , but this time change it to / var / www / html`.
There is no particular reason, but the main reason is that the default document root is deep and annoying. Also, I’m used to Apache’s document root.
Also, I’m using Centos7 this time, but if it’s Ubuntu, I think that most things will be fine if you change yum to ʻapt`.
If you are using Oracle Cloud, you need to set up a firewall.
Please go around if necessary
** Of course, you also need your own domain. ** **
Operating environment
- MacOS 10.15.6
- Centos7
- Nginx 1.16.1
The host OS can be Windows. It doesn’t really matter because it’s a VM.
Nginx
Installation
Install Nginx
$ sudo yum -y install nginx
The -y option is asked in the middle, can I install it? It is the one that automatically inputs the one.
After the installation is complete, set the startup and automatic startup.
If you don’t set it to auto-start, you’ll have to manually start it again when you shut down or restart the OS, which is annoying.
$ sudo systemctl start nginx //Start-up
$ sudo systemctl enable nginx //Autostart
At this point, if you access your IP address with a browser, you can see that Nginx is running.
Document route change
Modify the Nginx configuration file to change the document root.
First of all, the directory you want to set this time is / var / www / html, so create that directory.
$ sudo mkdir -p /var/www/html
Next, play with the configuration file.
The location may depend on the environment, but in my case it is /etc/nginx/nginx.conf
Make a habit of backing up before changing the config file
$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_org
I will change it.
In my environment, it was the http setting item from the 38th line, so change the root directory there.
Just in case, comment it out and add it.
$ sudo vim /etc/nginx/nginx.conf
38 server {
39 listen 80 default_server;
40 listen [::]:80 default_server;
41 server_name _;
42 #root /usr/share/nginx/html;
43 root /var/www/html;
After changing the configuration file, reload it.
When this reload fails, something is wrong.
$ sudo systemctl reload nginx
Even if you check it with a browser at this stage, nothing will be hurt or it will be 404.
That should be because there is nothing in / var / www / html.
Let’s copy the original default page
$ sudo cp /usr/share/nginx/html/index.html /var/www/html/index.html
This should be OK, but when I access it, I get an error for some reason.
SELINUX
A security function called SELINUX gets in the way.
It’s a good idea to set it correctly, but because of this, it often does not behave as intended, so take the plunge and turn it off \
$ sudo cp /etc/selinux/config /etc/selinux/config_org //backup
$ sudo vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
### Disalbe SELINUX begin
##SELINUX=enforcing
SELINUX=disabled
### Disalbe SELINUX end
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
Add SELINUX = disabled
After rewriting, let’s restart
$ sudo reboot
Now you can browse by accessing the browser.
Domain settings
I think there are various services such as Name.com that you purchased from.
For AWS, it’s Route53. I will omit it because it is various
Let’sEncrypt
At present, you will see Unprotected like this.
There are various problems with this, so change from http: // ~~ to https: // ~~
Let’sEncrypt
Installation
Install certbot
$ sudo yum -y install certbot
Issue a certificate
Enter the document root after -w, the domain name after -d, and the email address for --email.
sudo certbot certonly --webroot -w /var/www/html -d hoge.example.com --email [email protected]
After that, you will be asked if you agree to the terms of use, so y
You can send a notification email such as Issue, so enter y if you like, n if you don’t like it.
If you see Congratulations!, You are successful.
Change configuration file
Add the following.
Please note that there are 3 items to change.
server {
listen 443 ssl;
server_name hoge.example.com;
ssl_certificate /etc/letsencrypt/live/hoge.example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/hoge.example.com/privkey.pem;
root /var/www/html;
}
Now restart Nginx and you’re done.
$ sudo systemctl restart nginx
301 redirect
At present, both can be accessed with http: // ~~ and https: // ~~.
Since it is not necessary to access to http: // ~~, I will write a process to redirect when accessing with http.
A 301 redirect means a permanent redirect
Add to the configuration file
$ sudo vim /etc/nginx/nginx.conf
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
#root /usr/share/nginx/html;
root /var/www/html;
return 301 https://hoge.example.com/$request_uri; //Postscript
}
This way you will be redirected!
Automatic certificate renewal
Let ’s Encrypt is free and will expire in 90 days.
So, set it with cron so that it can be updated automatically.
$ sudo crontab -e
00 04 01 * * certbot renew --force-renew --webroot-path /var/www/html/ --post-hook "systemctl reload nginx"
This is all done
reference
Procedure for disabling CentOS7 SELinux
Use Let’s Encrypt with Nginx on CentOS7
How to set cron