应用配置HTTPS，nginx

1. 部署应用

应用首先启动，比如应用启动在了localhost:8000

2.系统安装nginx

$ sudo apt-get -y update
$ sudo apt-get -y install python3 python3-venv python3-dev
$ sudo apt-get -y install mysql-server postfix supervisor nginx git

3.安装自签名证书

$ mkdir certs
$ openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
  -keyout certs/key.pem -out certs/cert.pem

上述命令的结果将是名为key.pem和cert.pem的两个文件

4. nginx文件配置

要有一个由nginx服务的网站，你需要为它编写配置文件。 在大多数nginx安装中，这个文件需要位于 /etc/nginx/sites-enabled 目录中。Nginx在这个位置安装了一个我不需要的测试站点，所以我将首先删除它：

$ sudo rm /etc/nginx/sites-enabled/default

下面你可以看到Microblog的nginx配置文件，它在 /etc/nginx/sites-enabled/test 中：

/etc/nginx/sites-enabled/test配置。

server {
    # listen on port 80 (http)
    listen 80;
    server_name _;
    location / {
        # redirect any requests to the same URL but on https
        return 301 https://$host$request_uri;
    }
}
server {
    # listen on port 443 (https)
    listen 443 ssl;
    server_name _;

    # location of the self-signed SSL certificate
    ssl_certificate /home/ubuntu/microblog/certs/cert.pem;
    ssl_certificate_key /home/ubuntu/microblog/certs/key.pem;

    # write access and error logs to /var/log
    access_log /var/log/microblog_access.log;
    error_log /var/log/microblog_error.log;

    location / {
        # forward application requests to the gunicorn server
        proxy_pass http://localhost:8000;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /static {
        # handle static files directly, without forwarding to the application
        alias /home/ubuntu/microblog/static;
        expires 30d;
    }
}

添加此文件后，你需要告诉nginx重新加载配置以**它：

$ sudo service nginx reload

 以上其实已经可以使用自签名证书来访问https网站了，会报证书不受信任，需要手工信任证书

二，使用免费的let's Encrypted

1.首先要申请个域名，将域名绑定到主机IP上

2. 安装certbot

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update

3，修改配置文件，如 vim /etc/nginx/sites-enabled/test

server {
    # listen on port 80 (http)
    listen 80;
    server_name exaple.test.xyz;
    location / {
        # forward application requests to the gunicorn server
        proxy_pass http://localhost:8000;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

}

4. 生成证书:https://certbot.eff.org/lets-encrypt/ubuntuxenial-nginx

sudo certbot certonly --nginx

5. 添加SSL

server {
    # listen on port 80 (http)
    listen 80;
    server_name exaple.test.xyz;
    location / {
        # redirect any requests to the same URL but on https
        return 301 https://$host$request_uri;
    }
}
server {
    # listen on port 443 (https)
    listen 443 ssl;
    server_name _;

    # location of the self-signed SSL certificate
    ssl_certificate /etc/letsencrypt/live/exaple.test.xyz/cert.pem;
    ssl_certificate_key /etc/letsencrypt/live/exaple.test.xyz/privkey.pem;
    #ssl_trusted_certificate /etc/letsencrypt/live/exaple.test.xyz/chain.pem;
    # write access and error logs to /var/log
    access_log /var/log/test_access.log;
    error_log /var/log/test_error.log;

    location / {
        # forward application requests to the gunicorn server
        proxy_pass http://localhost:8000;
        proxy_redirect off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /static {
        # handle static files directly, without forwarding to the application
        alias /root/test;
        expires 30d;
    }
}