{"id":1259,"date":"2016-02-16T11:00:24","date_gmt":"2016-02-16T02:00:24","guid":{"rendered":"https:\/\/blog.ymyzk.com\/?p=1259"},"modified":"2016-02-16T06:17:35","modified_gmt":"2016-02-15T21:17:35","slug":"nginx-config-for-lets-encrypt","status":"publish","type":"post","link":"https:\/\/blog.ymyzk.com\/2016\/02\/nginx-config-for-lets-encrypt\/","title":{"rendered":"Let\u2019s Encrypt \u3067\u8a3c\u660e\u66f8\u3092\u767a\u884c\u3057\u3066\u904b\u7528\u3059\u308b\u305f\u3081\u306e nginx \u306e\u8a2d\u5b9a"},"content":{"rendered":"

\u3053\u306e\u8a18\u4e8b\u3067\u306f Let\u2019s Encrypt<\/a> \u3067\u8a3c\u660e\u66f8\u3092\u767a\u884c\u3057, nginx \u3067\u5229\u7528\u3059\u308b\u305f\u3081\u306e\u8a2d\u5b9a\u3092\u7d39\u4ecb\u3057\u307e\u3059. Nginx \u3092\u30a2\u30d7\u30ea\u30b1\u30fc\u30b7\u30e7\u30f3\u30b5\u30fc\u30d0\u30fc\u306e\u305f\u3081\u306e\u30d7\u30ed\u30ad\u30b7\u3068\u3057\u3066\u5229\u7528\u3057\u3066\u3044\u308b\u5834\u5408\u3092\u60f3\u5b9a\u3057\u3066, Let\u2019s Encrypt \u306e\u305f\u3081\u306e webroot \u3092\u5225\u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059.<\/p>\n

<\/p>\n

\u6982\u8981<\/h2>\n

Let\u2019s Encrypt \u3067\u306f\u69d8\u3005\u306a\u65b9\u6cd5\u3067\u306e\u8a8d\u8a3c\u30fb\u8a3c\u660e\u66f8\u306e\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u65b9\u6cd5\u304c\u30d7\u30e9\u30b0\u30a4\u30f3\u3068\u3057\u3066\u63d0\u4f9b\u3055\u308c\u3066\u3044\u307e\u3059. Nginx \u7528\u306e\u30d7\u30e9\u30b0\u30a4\u30f3<\/a>\u3082\u958b\u767a\u3055\u308c\u3066\u3044\u307e\u3059\u304c, \u73fe\u6642\u70b9\u3067 experimental \u3068\u306a\u3063\u3066\u3044\u308b\u3088\u3046\u306a\u306e\u3067, webroot \u30d7\u30e9\u30b0\u30a4\u30f3<\/a>\u3092\u5229\u7528\u3059\u308b\u306e\u304c\u4e00\u822c\u7684\u306a\u3088\u3046\u3067\u3059.<\/p>\n

\u3053\u306e\u8a18\u4e8b\u3067\u306f \/var\/www\/letsencrypt<\/code> \u306b Let\u2019s Encrypt \u306e webroot \u30d7\u30e9\u30b0\u30a4\u30f3\u306b\u3088\u308b\u8a8d\u8a3c\u306e\u305f\u3081\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u4f5c\u6210\u3057, \u4ee5\u4e0b\u306e\u3088\u3046\u306a\u30b3\u30de\u30f3\u30c9\u3067\u8a3c\u660e\u66f8\u306e\u767a\u884c\u3092\u884c\u3048\u308b\u3088\u3046\u306b\u3059\u308b\u3053\u3068\u3092\u76ee\u6a19\u3068\u3057\u307e\u3059.<\/p>\n

.\/letsencrypt-auto certonly --webroot --webroot-path \/var\/www\/letsencrypt -d example.com\r\n<\/pre>\n
\u8a8d\u8a3c\u306e\u305f\u3081\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3092\u5206\u3051\u308b\u3053\u3068\u3067, \u65e2\u5b58\u306e nginx \u306e\u8a2d\u5b9a\u306e root<\/code> \u306b\u3088\u308b\u5f71\u97ff\u3092\u56de\u907f\u3059\u308b\u3053\u3068\u304c\u51fa\u6765\u307e\u3059.<\/p>\n
\u521d\u3081\u3066 HTTPS \u8a3c\u660e\u66f8\u3092\u767a\u884c\u3059\u308b\u5834\u5408<\/h2>\n
\u521d\u3081\u3066 HTTPS \u8a3c\u660e\u66f8\u3092\u767a\u884c\u3059\u308b\u5834\u5408, http:\/\/<domain>\/.well-known\/acme-challenge\/<\/code> \u306b\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u3067\u8a8d\u8a3c\u3092\u884c\u3044\u307e\u3059.\u00a0\u3053\u3053\u3067\u306f webroot<\/code> \u3092 \/var\/www\/letsencrypt<\/code> \u306b\u4f5c\u6210\u3059\u308b\u3082\u306e\u3068\u3057\u307e\u3059.<\/p>\n
\u4ee5\u4e0b\u306e\u8a2d\u5b9a\u3067\u306f, \/.well-known\/acme-challenge\/<\/code> \u4ee5\u4e0b\u3078\u306e\u30a2\u30af\u30bb\u30b9\u306e root<\/code> \u3092 \/var\/www\/letsencrypt<\/code> \u306b\u8a2d\u5b9a\u3057\u3066\u3044\u307e\u3059. \u307e\u305f \/.well-known\/acme-challenge\/<\/code> \u306b\u30a2\u30af\u30bb\u30b9\u304c\u3042\u3063\u305f\u5834\u5408 403 \u304c\u8fd4\u308b\u3053\u3068\u3092\u9632\u3050\u305f\u3081\u306b, \/.well-known\/acme-challenge\/<\/code> \u3078\u306e\u30a2\u30af\u30bb\u30b9\u306b\u306f 404 \u3092\u8fd4\u3057\u3066\u3044\u307e\u3059.<\/p>\n
server {\r\n    listen 80;\r\n    listen [::]:80;\r\n\r\n    server_name example.com;\r\n\r\n    location ^~ \/.well-known\/acme-challenge\/ {\r\n        root \/var\/www\/letsencrypt;\r\n    }\r\n\r\n    location = \/.well-known\/acme-challenge\/ {\r\n        return 404;\r\n    }\r\n\r\n    # \u65e2\u5b58\u306e\u8a2d\u5b9a\u3092\u3053\u3053\u306b\r\n}<\/pre>\n
HTTPS \u306e\u904b\u7528\u3092\u958b\u59cb\u3057\u305f\u5f8c\u306e\u8a2d\u5b9a<\/h2>\n
Let\u2019s Encrypt \u3067\u767a\u884c\u3057\u305f\u8a3c\u660e\u66f8\u3092\u7528\u3044\u3066\u904b\u7528\u3092\u958b\u59cb\u3057\u305f\u5f8c\u3082, \u5b9a\u671f\u7684\u306b\u8a3c\u660e\u66f8\u306e\u66f4\u65b0\u304c\u5fc5\u8981\u3067\u3059.\u00a0HTTP\/HTTPS \u4e21\u5bfe\u5fdc\u306e\u30b5\u30a4\u30c8\u3092\u904b\u7528\u3059\u308b\u5834\u5408\u306f, \u5148\u307b\u3069\u306e\u8a2d\u5b9a\u3067\u904b\u7528\u3092\u7d99\u7d9a\u3067\u304d\u307e\u3059\u304c,\u00a0HTTP \u3067\u306e\u30a2\u30af\u30bb\u30b9\u3092 HTTPS \u3078\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3059\u308b\u3088\u3046\u306a\u30b5\u30a4\u30c8\u306e\u5834\u5408\u306f, \u8a2d\u5b9a\u306e\u5909\u66f4\u304c\u5fc5\u8981\u3067\u3059.<\/p>\n
\u8a3c\u660e\u66f8\u66f4\u65b0\u306e\u305f\u3081\u306e\u8a8d\u8a3c\u3082 http:\/\/<domain>\/.well-known\/acme-challenge\/<\/code> \u3078\u30a2\u30af\u30bb\u30b9\u3059\u308b\u3053\u3068\u306b\u3088\u3063\u3066\u884c\u306a\u308f\u308c\u307e\u3059. \u3053\u306e URL \u3078\u306e\u30a2\u30af\u30bb\u30b9\u304c HTTPS \u306e URL \u3078\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3055\u308c\u308b\u5834\u5408\u306f, Let\u2019s Encrypt \u306e\u8a8d\u8a3c\u30b5\u30fc\u30d0\u30fc\u306f\u81ea\u52d5\u7684\u306b HTTPS \u306e URL \u306b\u30a2\u30af\u30bb\u30b9\u3057\u3066\u304f\u308c\u307e\u3059. \u3053\u306e\u305f\u3081, HTTPS \u3078\u5168\u3066\u306e\u30a2\u30af\u30bb\u30b9\u3092\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\u3059\u308b\u5834\u5408, \u8a8d\u8a3c\u306e\u305f\u3081\u306e\u8a2d\u5b9a\u306f HTTPS \u5074\u306b\u8a18\u8ff0\u3057\u307e\u3059.<\/p>\n
server {\r\n    listen 80;\r\n    listen [::]:80;\r\n\r\n    server_name example.com;\r\n\r\n    # HTTP \u3078\u306e\u30a2\u30af\u30bb\u30b9\u306f\u5168\u3066 HTTPS \u3078\u30ea\u30c0\u30a4\u30ec\u30af\u30c8\r\n    return 301 https:\/\/$server_name$request_uri;\r\n}\r\n\r\nserver {\r\n    listen 443 ssl;\r\n    listen [::]:443 ssl;\r\n\r\n    server_name example.com;\r\n\r\n    # \u8a3c\u660e\u66f8\u30c1\u30a7\u30fc\u30f3\r\n    ssl_certificate \/etc\/letsencrypt\/live\/example.com\/fullchain.pem;\r\n    # \u81ea\u8eab\u306e\u8a3c\u660e\u66f8\u3092\u9664\u3044\u305f\u8a3c\u660e\u66f8\u30c1\u30a7\u30fc\u30f3 (OCSP \u5bfe\u5fdc\u7528)\r\n    ssl_trusted_certificate \/etc\/letsencrypt\/live\/example.com\/chain.pem;\r\n    # \u79d8\u5bc6\u9375\r\n    ssl_certificate_key \/etc\/letsencrypt\/live\/example.com\/privkey.pem;\r\n    ssl_session_timeout 1d;\r\n    ssl_session_cache shared:SSL:50m;\r\n\r\n    ssl_dhparam \/etc\/nginx\/ssl\/dhparam_2048.pem;\r\n\r\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\r\n    ssl_ciphers '\u304a\u597d\u307f\u3067';\r\n    ssl_prefer_server_ciphers on;\r\n\r\n    # \u304a\u597d\u307f\u3067\r\n    add_header Strict-Transport-Security max-age=15768000;\r\n\r\n    # OCSP \u5bfe\u5fdc\r\n    ssl_stapling on;\r\n    ssl_stapling_verify on;\r\n\r\n    resolver 8.8.8.8 8.8.4.4;\r\n\r\n    location ^~ \/.well-known\/acme-challenge\/ {\r\n        root \/var\/www\/letsencrypt;\r\n    }\r\n\r\n    location = \/.well-known\/acme-challenge\/ {\r\n        return 404;\r\n    }\r\n\r\n    # \u65e2\u5b58\u306e\u8a2d\u5b9a\u3092\u3053\u3053\u306b\r\n}\r\n<\/pre>\n
\u53c2\u8003<\/h2>\n