转载

Let’s Encrypt + Nginx + Tornado 开启 HTTPS

1. Let's Encrypt

需要开放 443 端口：

git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly -d pyhub.cc -d www.pyhub.cc

2. Nginx

# 重定向 HTTP server {     listen 80;     server_name www.pyhub.cc pyhub.cc;     rewrite ^(.*)$ https://$host$1 permanent; } # Tornado proxy upstream pycc{     server 127.0.0.1:8080; } server {     listen 443;     server_name pyhub.cc www.pyhub.cc;     ssl on;     ssl_certificate /etc/letsencrypt/live/pyhub.cc/fullchain.pem;     ssl_certificate_key /etc/letsencrypt/live/pyhub.cc/privkey.pem;     location / {             proxy_pass_header Server;             proxy_set_header Host $http_host;             proxy_redirect off;             proxy_set_header X-Real-IP $remote_addr;             proxy_set_header X-Scheme $scheme;             proxy_pass http://pycc;         } }

Tornado

def main():     # 设定 xheaders = True     http_server = tornado.httpserver.HTTPServer(Application(), xheaders=True)     http_server.listen(options.port)     tornado.ioloop.IOLoop.current().start()  if __name__ == '__main__':     main()

优化ssl配置

参考： Guide to Deploying Diffie-Hellman for TLS

执行：

openssl dhparam -out dhparams.pem 2048

经过相当长一段时间后生成 dhparams.pem ，修改 Nginx 配置：

ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-EC DSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES1 28-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_dhparam /etc/nginx/conf.d/dhparams.pem;  ssl_certificate /etc/letsencrypt/live/pyhub.cc/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/pyhub.cc/privkey.pem;

自动更新

官方给出了自动更新证书的脚本 https_renew.sh ：

#!/bin/sh nginx -s stop  # or whatever your webserver is /opt/letsencrypt/letsencrypt-auto renew -nvv --standalone --force-renewal > /var/log/letsencrypt/renew.log 2>&1 LE_STATUS=$? nginx # or whatever your webserver is if [ "$LE_STATUS" != 0 ]; then     echo Automated renewal failed:     cat /var/log/letsencrypt/renew.log     exit 1 fi

加入 crontab ：

crontab -u root -e * * */90 * * /path/to/https_renew.sh

Let’s Encrypt + Nginx + Tornado 开启 HTTPS

注意

页面中采用 http 的 CDN 服务会导致（Chrome）如下警告：

Let’s Encrypt + Nginx + Tornado 开启 HTTPS

One More Thing…

GitHub Webhook：

添加 Webhook 并监听 Push 事件，推送到服务器之后可以自动执行 git pull ：

# Application 设置开启 autoreload=True  class WebHookHandler(BaseHandler):     def post(self, *args, **kwargs):         if self.request.headers.get('X-GitHub-Event') == 'push':             print("Execute git pull github master")             subprocess.call("git pull github master", shell=True)