\u0414\u043b\u044f \u043f\u0440\u0438\u043c\u0435\u0440\u0430 \u0431\u0435\u0440\u0435\u043c debian 8 \u043d\u0430 google cloud engine, \u0441\u0442\u0430\u0432\u0438\u043c nginx, \u0441 \u043f\u043e\u043c\u043e\u0449\u044c\u044e letsencrypt \u0434\u0435\u043b\u0430\u0435\u043c \u0441\u0435\u0440\u0442\u0438\u0444\u0438\u043a\u0430\u0442\u044b.<\/p>\n
\u0414\u043b\u044f \u0442\u0435\u0445, \u043a\u0442\u043e \u043d\u0435 \u0443\u043c\u0435\u0435\u0442:<\/b><\/h5>\n
<\/p>\n
echo "deb http:\/\/ftp.debian.org\/debian jessie-backports main" >> \/etc\/apt\/sources.list apt-get update apt-get install certbot -t jessie-backports -y certbot certonly --webroot -w \/var\/www\/html -d domain.tld --email=your@email.tld --agree-tos #\u0433\u0434\u0435 \/var\/www\/html - \u043a\u043e\u0440\u0435\u043d\u044c \u0432\u0430\u0448\u0435\u0433\u043e \u0441\u0430\u0439\u0442\u0430, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u0432\u0438\u0434\u0435\u043d \u0438\u0437 \u0432\u043d\u0435 <\/code><\/pre>\n \u043f\u043e \u0438\u0442\u043e\u0433\u0443 \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c \u0442\u0430\u043a\u043e\u0435: <\/p>\n
IMPORTANT NOTES:
\u2014 Congratulations! Your certificate and chain have been saved at
\/etc\/letsencrypt\/live\/http2.kricha.info\/fullchain.pem. Your cert
will expire on 2017-02-03. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run \u00abcertbot
renew\u00bb<\/p><\/blockquote>\n
\u0442\u043e \u0435\u0441\u0442\u044c \u0432\u0441\u0435 \u0432\u0430\u0448\u0438 \u043a\u043b\u044e\u0447\u0438 \u0431\u0443\u0434\u0443\u0442 \u043b\u0435\u0436\u0430\u0442\u044c \u0437\u0434\u0435\u0441\u044c \/etc\/letsencrypt\/live\/domain.tld\/ <\/p>\n
# ls -la \/etc\/letsencrypt\/live\/http2.kricha.info\/ total 8 drwxr-xr-x 2 root root 4096 Nov 5 17:53 . drwx------ 3 root root 4096 Nov 5 17:53 .. lrwxrwxrwx 1 root root 41 Nov 5 17:53 cert.pem -> ..\/..\/archive\/http2.kricha.info\/cert1.pem lrwxrwxrwx 1 root root 42 Nov 5 17:53 chain.pem -> ..\/..\/archive\/http2.kricha.info\/chain1.pem lrwxrwxrwx 1 root root 46 Nov 5 17:53 fullchain.pem -> ..\/..\/archive\/http2.kricha.info\/fullchain1.pem lrwxrwxrwx 1 root root 44 Nov 5 17:53 privkey.pem -> ..\/..\/archive\/http2.kricha.info\/privkey1.pem <\/code><\/pre>\n \u0434\u043e\u0431\u0430\u0432\u043b\u044f\u0435\u043c \u0432\u0441\u044e \u044d\u0442\u0443 \u043a\u0440\u0430\u0441\u043e\u0442\u0443 \u0432 \u043a\u043e\u043d\u0444\u0438\u0433 nginx: <\/p>\n
#let's encrypt certificates ssl_certificate \/etc\/letsencrypt\/live\/domain.tld\/fullchain.pem; ssl_certificate_key \/etc\/letsencrypt\/live\/domain.tld\/privkey.pem; ssl_trusted_certificate\t\/etc\/letsencrypt\/live\/domain.tld\/chain.pem; <\/code><\/pre>\n \u0432 \u0438\u0442\u043e\u0433\u0435 \u0443 \u0432\u0430\u0441 \u0434\u043e\u043b\u0436\u043d\u043e \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u044c\u0441\u044f \u0447\u0442\u043e-\u0442\u043e \u0442\u0430\u043a\u043e\u0435: <\/p>\n
server { \tserver_name domain.tld; \tlisten 443 ssl http2; \tserver_tokens off; \tkeepalive_timeout 70; \tssl_stapling on; \tssl_stapling_verify on; \tresolver 8.8.4.4 8.8.8.8 valid=300s; \tresolver_timeout 10s; \tssl on; \t#let's encrypt certificates \tssl_certificate \/etc\/letsencrypt\/live\/domain.tld\/fullchain.pem; \tssl_certificate_key \/etc\/letsencrypt\/live\/domain.tld\/privkey.pem; \tssl_trusted_certificate\t\/etc\/letsencrypt\/live\/domain.tld\/chain.pem; \tssl_dhparam \/etc\/nginx\/ssl\/dhparam.pem; \tssl_session_timeout 1h; \tssl_session_cache shared:SSL:10m; \tssl_protocols TLSv1 TLSv1.1 TLSv1.2; \tssl_prefer_server_ciphers on; \tssl_ciphers AES256+EECDH:AES256+EDH:!aNULL; \tadd_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; \tadd_header X-Frame-Options DENY; \tadd_header X-Content-Type-Options nosniff; \troot \/var\/www\/html; index index.nginx-debian.html; \tlocation \/ { \ttry_files $uri $uri\/ =404; \t } error_log \/var\/log\/nginx\/domain.tld.error.log; access_log \/var\/log\/nginx\/domain.tld.access.log; } server { \tlisten 80; \tlisten [::]:80; \tserver_name domain.tld; \treturn 301 https:\/\/$host$request_uri; } <\/code><\/pre>\n \u0427\u0442\u043e\u0431 \u0441\u0434\u0435\u043b\u0430\u0442\u044c DHE: <\/p>\n
cd \/etc\/nginx mkdir ssl openssl dhparam -out ssl\/dhparam.pem 2048 <\/code><\/pre>\n \u0412\u0440\u043e\u0434\u0435 \u0431\u044b \u0432\u0441\u0435 \u0438 \u043c\u043e\u0436\u043d\u043e \u0434\u0435\u043b\u0430\u0442\u044c service nginx reload<\/i> \u043d\u043e \u0444\u0438\u0433 \u043d\u0430\u043c \ud83d\ude42 \u0412\u044b \u043f\u043e\u043b\u0443\u0447\u0438\u0442\u0435 \u0432 \u043e\u0442\u0432\u0435\u0442 \u044d\u0442\u043e: Job for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.<\/i>, \u0430 \u0432 \u0434\u0435\u0442\u0430\u043b\u044f\u0445:<\/p>\nov 05 18:01:15 http2 systemd[1]: Failed to read PID from file \/run\/nginx.pid: Invalid argument Nov 05 18:01:15 http2 systemd[1]: Started A high performance web server and a reverse proxy server. Nov 05 18:14:27 http2 systemd[1]: Reloading A high performance web server and a reverse proxy server. Nov 05 18:14:27 http2 nginx[24507]: nginx: [emerg] invalid parameter "http2" in \/etc\/nginx\/sites-enabled\/default:4 Nov 05 18:14:27 http2 systemd[1]: nginx.service: control process exited, code=exited status=1 Nov 05 18:14:27 http2 systemd[1]: Reload failed for A high performance web server and a reverse proxy server. <\/code><\/pre>\n \u0412 \u043e\u0431\u0449\u0435\u043c, nginx \u0432\u043e\u043e\u0431\u0449\u0435 \u043d\u0435 \u043f\u043e\u043d\u044f\u043b \u0447\u0435\u0433\u043e \u043c\u044b \u043e\u0442 \u043d\u0435\u0433\u043e \u0445\u043e\u0442\u0435\u043b\u0438 \u0438 \u0445\u043e\u0442\u0438\u043c. \u0421\u043c\u043e\u0442\u0440\u0438\u043c \u0432\u0435\u0440\u0441\u0438\u044e \u0438 \u043e\u043a\u0430\u0437\u044b\u0432\u0430\u0435\u0442\u0441\u044f nginx version: nginx\/1.6.2<\/b>, \u043b\u0430\u0434\u043d\u043e, \u043f\u043e\u0441\u0442\u0430\u0432\u0438\u043c \u043f\u043e\u0441\u043b\u0435\u0434\u043d\u044e\u044e \u0432\u0435\u0440\u0441\u0438\u044e.<\/p>\n
<\/p>\n\u0423\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u043c \u0441\u0432\u0435\u0436\u0443\u044e \u0432\u0435\u0440\u0441\u0438\u044e nginx<\/h5>\n
<\/b> <\/p>\n
echo -e "deb http:\/\/nginx.org\/packages\/mainline\/debian\/ jessie nginx\\ndeb-src http:\/\/nginx.org\/packages\/mainline\/debian\/ jessie nginx" >>\/etc\/apt\/sources.list rm -rf \/var\/lib\/dpkg\/info\/nginx* apt-get update apt-get upgrade --force-yes -y service nginx restart <\/code><\/pre>\n \u0417\u0430\u0445\u043e\u0434\u0438\u043c \u0432 \u0431\u0440\u0430\u0443\u0437\u0435\u0440, \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c:
![\"image\"\/](\"https:\/\/habrastorage.org\/files\/106\/2d8\/06f\/1062d806fdf240439dfed04b08eca783.png\")
\u0412\u0438\u0434\u0438\u043c \u0421\u0442\u0430\u0442\u0443\u0441 HTTP\/2.0 200<\/b>, \u0440\u0430\u0434\u0443\u0435\u043c\u0441\u044f, \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u0432 \u0445\u0440\u043e\u043c\u0435:
![\"image\"\/](\"https:\/\/habrastorage.org\/files\/e70\/021\/911\/e700219113934b06a8653861f60a55db.png\")
\u0412\u0438\u0434\u0438\u043c Protocol http\/1.1<\/b>, \u0433\u0440\u0443\u0441\u0442\u0438\u043c \u0438 \u0443\u0445\u043e\u0434\u0438\u043c \u043f\u043b\u0430\u043a\u0430\u0442\u044c<\/s>.
\u041d\u0435\u0442, \u043a\u043e\u043d\u0435\u0447\u043d\u043e, \u043d\u0435 \u0441\u0434\u0430\u0435\u043c\u0441\u044f, \u0434\u043e\u043b\u0438\u0432\u0430\u0435\u043c \u0432 \u0441\u0442\u0430\u043a\u0430\u043d\u0447\u0438\u043a \u0440\u043e\u043c \u0438 \u043f\u0440\u043e\u0434\u043e\u043b\u0436\u0430\u0435\u043c.<\/p>\n\u0421\u043e\u0431\u0438\u0440\u0430\u0435\u043c \u043f\u0440\u0430\u0432\u0438\u043b\u044c\u043d\u044b\u0439 nginx<\/b><\/h5>\n
<\/p>\n
apt-get install libpcre3 libpcre3-dev libpcrecpp0 libssl-dev zlib1g-dev cd \/opt wget http:\/\/nginx.org\/download\/nginx-1.11.5.tar.gz wget https:\/\/www.openssl.org\/source\/openssl-1.0.2j.tar.gz tar xf nginx-1.11.5.tar.gz tar xf openssl-1.0.2j.tar.gz cd nginx-1.11.5 .\/configure --prefix=\/etc\/nginx --sbin-path=\/usr\/sbin\/nginx --modules-path=\/usr\/lib\/nginx\/modules --conf-path=\/etc\/nginx\/nginx.conf --error-log-path=\/var\/log\/nginx\/error.log --http-log-path=\/var\/log\/nginx\/access.log --pid-path=\/var\/run\/nginx.pid --lock-path=\/var\/run\/nginx.lock --http-client-body-temp-path=\/var\/cache\/nginx\/client_temp --http-proxy-temp-path=\/var\/cache\/nginx\/proxy_temp --http-fastcgi-temp-path=\/var\/cache\/nginx\/fastcgi_temp --http-uwsgi-temp-path=\/var\/cache\/nginx\/uwsgi_temp --http-scgi-temp-path=\/var\/cache\/nginx\/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-openssl=\/opt\/openssl-1.0.2j make make install service nginx restart <\/code><\/pre>\n \u041f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u0432 \u0445\u0440\u043e\u043c\u0435:
![\"image\"\/](\"https:\/\/habrastorage.org\/files\/8b6\/258\/db3\/8b6258db34564e5f81d3054488b24813.png\")
\u0412 \u0441\u0430\u0444\u0430\u0440\u0438:
![\"image\"\/](\"https:\/\/habrastorage.org\/files\/dc5\/ee2\/db4\/dc5ee2db4e9d42f9a597034d7be67e78.png\")
<\/p>\n
\u0412\u0435\u0437\u0434\u0435 \u0432\u0438\u0434\u0438\u043c, \u0447\u0442\u043e \u0438\u0441\u043f\u043e\u043b\u044c\u0437\u0443\u0435\u0442\u0441\u044f \u043f\u0440\u043e\u0442\u043e\u043a\u043e\u043b http2, \u043f\u0440\u043e\u0432\u0435\u0440\u044f\u0435\u043c \u0435\u0449\u0435 \u043d\u0430 www.ssllabs.com<\/a>, \u043f\u043e\u043b\u0443\u0447\u0430\u0435\u043c
![\"image\"\/](\"https:\/\/habrastorage.org\/files\/5f1\/381\/66c\/5f138166c3bb493986806fb3b4a9d902.png\")
<\/p>\n \u041f\u0440\u043e\u0444\u0438\u0442! \u0414\u043e\u043b\u0438\u0432\u0430\u0435\u043c \u0441\u0435\u0431\u0435 \u0440\u043e\u043c \u0438 \u0438\u0434\u0435\u043c \u0441\u043f\u0430\u0442\u044c! \u0412\u0441\u0435\u043c \u0441\u043f\u0430\u0441\u0438\u0431\u043e \u0437\u0430 \u0432\u043d\u0438\u043c\u0430\u043d\u0438\u0435, \u043d\u0430\u0434\u0435\u044e\u0441\u044c \u043a\u043e\u043c\u0443-\u0442\u043e \u043f\u043e\u043c\u043e\u0433.
\u0441\u0441\u044b\u043b\u043a\u0430 \u043d\u0430 \u043e\u0440\u0438\u0433\u0438\u043d\u0430\u043b \u0441\u0442\u0430\u0442\u044c\u0438 https:\/\/habrahabr.ru\/post\/314474\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\u0412 \u043e\u0431\u0449\u0435\u043c, \u043a\u0430\u043a \u044f \u0443\u0436\u0435 \u0447\u0438\u0442\u0430\u043b \u0442\u0443\u0442 \u0432 \u043a\u043e\u043c\u043c\u0435\u043d\u0442\u0430\u0445: \u00ab\u0446\u0435\u043b\u044b\u0435 \u0441\u0442\u0430\u0442\u044c\u0438 \u043f\u0438\u0448\u0443\u0442 \u043d\u0430 \u0442\u043e, \u043a\u0430\u043a \u0434\u043e\u0431\u0430\u0432\u0438\u0442\u044c 5 \u0441\u0438\u043c\u0432\u043e\u043b\u043e\u0432 \u0438 \u043f\u0440\u043e\u0431\u0435\u043b \u0432 \u043a\u043e\u043d\u0444\u0438\u0433\u00bb. \u0412\u0441\u0435 \u0431\u044b \u0445\u043e\u0440\u043e\u0448\u043e, \u0435\u0441\u043b\u0438 \u0431\u044b \u043d\u0435 google chrome. \u041e\u043d\u0438 \u0440\u0435\u0448\u0438\u043b\u0438 \u043f\u0440\u0435\u043a\u0440\u0430\u0442\u0438\u0442\u044c \u043f\u043e\u0434\u0434\u0435\u0440\u0436\u043a\u0443 SPDY<\/b> \u0438 NPN<\/b><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[],"class_list":["post-280497","post","type-post","status-publish","format-standard","hentry"],"_links":{"self":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/280497","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=280497"}],"version-history":[{"count":0,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=\/wp\/v2\/posts\/280497\/revisions"}],"wp:attachment":[{"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=280497"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=280497"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/savepearlharbor.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=280497"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}