功能簡介
WordPress 是一個網站建置工具,多元的佈景主題、網站外掛,能幫助個人、公司、機關等架設多種網站類型,如: 部落格、品牌形象、電子商務等網站,滿足各種網頁設計的需求。
安裝 Certbot
預設已經安裝 Certbot ,不需再安裝。
certbot --version
certbot 1.32.2測試申請
Alibabacloud Letsencrypt 申請憑證,網頁根目錄要修改成為 /data/wwwroot/wordpress 。
certbot certonly --dry-run --webroot -w /data/wwwroot/wordpress -d sample.cc -d www.sample.cc -m admin@sample.ccSimulating renewal of an existing certificate for www.sample.cc and sample.cc
The dry run was successful.
申請憑證
Alibabacloud Letsencrypt 有限制 1 小時只可申請 5 次,若失敗太多次,請 1 小時後再重試。
certbot certonly --webroot -w /data/wwwroot/wordpress -d sample.cc -d www.sample.cc -m admin@sample.ccPlease choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):選 1,自行設定 https,申請成功後,顯示如下訊息:
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/sample.cc/fullchain.pem. Your cert will
expire on 2023-04-30. To obtain a new or tweaked version of this
certificate in the future, simply run certbot again with the
"certonly" option. To non-interactively renew *all* of your
certificates, run "certbot renew"組態設定
Alibabacloud Apache 設定 httpd.conf ,修改 sample.cc 成為你的網域。
vim /etc/httpd/conf/httpd.confServerRoot "/etc/httpd"
Listen 80
Include conf.modules.d/*.conf
User apache
Group apache
ServerAdmin admin@sample.cc
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "/data/wwwroot/wordpress"
<Directory "/data/wwwroot">
AllowOverride All
# Allow open access:
Require all granted
</Directory>
<Directory "/data/wwwroot/wordpress">
Options FollowSymLinks
AllowOverride All
Require all granted
</Directory>
<IfModule dir_module>
DirectoryIndex index.html index.htm index.php index.jsp
</IfModule>
<Files ".ht*">
Require all denied
</Files>
ErrorLog "logs/error_log"
LogLevel warn
<IfModule log_config_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>
CustomLog "logs/access_log" combined
</IfModule>
<IfModule alias_module>
ScriptAlias /cgi-bin/ "/data/cgi-bin/"
</IfModule>
<Directory "/data/cgi-bin">
AllowOverride All
Options None
Require all granted
</Directory>
<IfModule mime_module>
TypesConfig /etc/mime.types
AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
</IfModule>
AddDefaultCharset UTF-8
<IfModule mime_magic_module>
MIMEMagicFile conf/magic
</IfModule>
EnableSendfile on
IncludeOptional conf.d/*.conf
ServerName sample.cc:80
IncludeOptional extra/*.conf
SSL 設定
Alibabacloud Letsencrypt 修改 sample.cc 成為你的網域。
vim /etc/httpd/conf.d/ssl.confListen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
DocumentRoot "/data/wwwroot/wordpress"
ServerName sample.cc:443
ServerAlias www.sample.cc:443
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLProxyProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLProxyCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLOptions +StrictRequire
SSLCertificateFile /etc/letsencrypt/live/sample.cc/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/sample.cc/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/sample.cc/fullchain.pem
<FilesMatch "\.(cgi|shtml|phtml|php)$">
SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/data/cgi-bin">
AllowOverride All
SSLOptions +StdEnvVars
Require all granted
</Directory>
<Directory "/data/wwwroot">
AllowOverride All
SSLOptions +StdEnvVars
Require all granted
</Directory>
BrowserMatch "MSIE [2-5]" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
自動更新
排程設定自動更新,如:每日 3 時 0 分。
crontab -e0 3 * * * certbot renew --quiet心得分享
使用 WordPress Alibabacloud 建置,預設 Alibabacloud Apache 組態設定檔 httpd.conf 如下所示:
<Directory "/data/wwwroot/wordpress">AllowOverride None</Directory> Alibaba WordPress 會導致 SSL 無法覆寫,會拋出 401 權限不足錯誤,所以將其設為 AllowOverride All,這樣就能成功設置 HTTPS。
