[Centos7] [Let ’s Encrypt] Until Nginx is inserted and SSL is enabled

Install Nginx with Centos7, issue a free certificate by Let ’s Encrypt and write up to apply.

The default document root for Nginx is ʻusr / share / nginx / html / , but this time change it to / var / www / html`. There is no particular reason, but the main reason is that the default document root is deep and annoying. Also, I'm used to Apache's document root.

Also, I'm using Centos7 this time, but if it's Ubuntu, I think that most things will be fine if you change yum to ʻapt`.

If you are using Oracle Cloud, you need to set up a firewall. Please go around if necessary

** Of course, you also need your own domain. ** **

Operating environment

The host OS can be Windows. It doesn't really matter because it's a VM.

Nginx

Installation

Install Nginx

$ sudo yum -y install nginx

The -y option is asked in the middle, can I install it? It is the one that automatically inputs the one.

After the installation is complete, set the startup and automatic startup. If you don't set it to auto-start, you'll have to manually start it again when you shut down or restart the OS, which is annoying.

$ sudo systemctl start nginx //Start-up
$ sudo systemctl enable nginx //Autostart

At this point, if you access your IP address with a browser, you can see that Nginx is running.

Document route change

Modify the Nginx configuration file to change the document root.

First of all, the directory you want to set this time is / var / www / html, so create that directory.

$ sudo mkdir -p /var/www/html

Next, play with the configuration file. The location may depend on the environment, but in my case it is /etc/nginx/nginx.conf Make a habit of backing up before changing the config file

$ sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf_org

I will change it. In my environment, it was the http setting item from the 38th line, so change the root directory there. Just in case, comment it out and add it.

$ sudo vim /etc/nginx/nginx.conf

 38     server {
 39         listen       80 default_server;
 40         listen       [::]:80 default_server;
 41         server_name  _;
 42         #root         /usr/share/nginx/html;
 43         root         /var/www/html;

After changing the configuration file, reload it. When this reload fails, something is wrong.

$ sudo systemctl reload nginx

Even if you check it with a browser at this stage, nothing will be hurt or it will be 404. That should be because there is nothing in / var / www / html. Let's copy the original default page

$ sudo cp /usr/share/nginx/html/index.html /var/www/html/index.html

This should be OK, but when I access it, I get an error for some reason.

SELINUX

A security function called SELINUX gets in the way. It's a good idea to set it correctly, but because of this, it often does not behave as intended, so take the plunge and turn it off \

$ sudo cp  /etc/selinux/config /etc/selinux/config_org //backup
$ sudo vim /etc/selinux/config

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
### Disalbe SELINUX begin
##SELINUX=enforcing
SELINUX=disabled
### Disalbe SELINUX end
# SELINUXTYPE= can take one of three two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected.
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

Add SELINUX = disabled

After rewriting, let's restart

$ sudo reboot

Now you can browse by accessing the browser.

Domain settings

I think there are various services such as Name.com that you purchased from. For AWS, it's Route53. I will omit it because it is various

Let’sEncrypt

At present, you will see Unprotected like this.

スクリーンショット 2020-09-04 20.24.29.png

There are various problems with this, so change from http: // ~~ to https: // ~~

Let’sEncrypt

Installation

Install certbot

$ sudo yum -y install certbot

Issue a certificate Enter the document root after -w, the domain name after -d, and the email address for --email.

sudo certbot certonly --webroot -w /var/www/html -d hoge.example.com --email [email protected]

After that, you will be asked if you agree to the terms of use, so y You can send a notification email such as Issue, so enter y if you like, n if you don't like it.

If you see Congratulations!, You are successful.

Change configuration file

Add the following. Please note that there are 3 items to change.

server {
listen  443 ssl;
server_name     hoge.example.com;
ssl_certificate         /etc/letsencrypt/live/hoge.example.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/hoge.example.com/privkey.pem;
root   /var/www/html;
}

Now restart Nginx and you're done.

$ sudo systemctl restart nginx

301 redirect

At present, both can be accessed with http: // ~~ and https: // ~~. Since it is not necessary to access to http: // ~~, I will write a process to redirect when accessing with http.

A 301 redirect means a permanent redirect

Add to the configuration file

$ sudo vim /etc/nginx/nginx.conf

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        #root         /usr/share/nginx/html;
        root         /var/www/html;
        return 301 https://hoge.example.com/$request_uri; //Postscript
}

This way you will be redirected!

Automatic certificate renewal

Let ’s Encrypt is free and will expire in 90 days. So, set it with cron so that it can be updated automatically.

$ sudo crontab -e

00 04 01  * * certbot renew --force-renew --webroot-path /var/www/html/ --post-hook "systemctl reload nginx"

This is all done

reference

Procedure for disabling CentOS7 SELinux Use Let's Encrypt with Nginx on CentOS7 How to set cron

Recommended Posts

[Centos7] [Let ’s Encrypt] Until Nginx is inserted and SSL is enabled
Make Nginx of CentOS8 SSL compatible with Let's Encrypt