|
本文介绍使用Letsencrypt SSL配置Graylog Nginx反向代理的方法,本文目的是将域名或主机名与已验证的SSL证书一起使用。我们先安装像certbot这样的Letsencrypt客户端,我们将用它来请求Graylog使用的证书,然后按照以下步骤操作。
一、安装certbot-auto # wget https://dl.eff.org/certbot-auto -P /usr/local/bin # chmod a+x /usr/local/bin/certbot-auto
二、在防火墙上打开https端口 我们将使用http端口请求SSL证书,因此请在防火墙上打开它,如果使用ufw或iptables,请使用等效命令替换此处的命令: # firewall-cmd --add-service={http,https} --permanent # firewall-cmd --reload
三、申请SSL证书 使用certbot-auto命令请求Letsencrypt证书: # export DOMAIN=`hostname -f` # export EMAIL="email@domain.com" # certbot-auto certonly --standalone -d $DOMAIN --preferred-challenges http --agree-tos -n -m $EMAIL --keep-until-expiring 这可能需要一段时间,因为它将从Bootstrapping依赖关系开始,创建python虚拟环境和安装Python包,最后生成证书,等到命令给出答复证明已成功生成证书。 成功消息如下所示: ..... IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/domain.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/domain.com/privkey.pem Your cert will expire on 2020-01-29. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew"
四、安装并配置Nginx 现在我们需要安装和配置Nginx。 # yum -y install nginx --> CentOS # apt-get install nginx --> Ubuntu 16.04、Debian 8/9 我们将在/etc/nginx/conf.d/graylog.conf中为graylog添加nginx配置,将domain.com替换为你的graylog域/子域名: server { listen 443 ssl; server_name domain.com www.domain.com; location / { proxy_set_header Host $http_host; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Graylog-Server-URL https://domain.com/api; proxy_pass http://127.0.0.1:9000; # proxy_pass http://ip-address:9000; } ssl on; ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem; ssl_session_timeout 5m; ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; access_log /var/log/nginx/graylog.access.log; error_log /var/log/nginx/graylog.error.log; } # http to https redirection server { listen 80; server_name domain.com www.domain.com; add_header Strict-Transport-Security max-age=2592000; rewrite ^ https://$server_name$request_uri? permanent; } 保存配置并使用nginx检查其syntax是否有效: # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful 最后启动并启用nginx服务: # systemctl start nginx # systemctl enable nginx 访问指定的域应该就能重定向到https了:
相关主题 |
