2024-08-30
免费https证书使用

首先将my.domain.com域名解析到服务器IP

安装acme

curl  https://get.acme.sh | sh
echo "alias acme.sh=~/.acme.sh/acme.sh" >> .profile
source .profile

安装nginx

apt install nginx

修改/etc/nginx/sites-available/default域名配置那里为自己的域名

server_name my.domain.com;

重新加载nginx配置

systemctl reload nginx

生成证书

acme.sh --issue -d my.domain.com --nginx

创建证书硬链接(软链接nginx会报错找不到文件)

ln .acme.sh/my.domain.com_ecc/fullchain.cer /etc/nginx/cert/my.domain.com.cer
ln .acme.sh/my.domain.com_ecc/my.domain.com.key /etc/nginx/cert/my.domain.com.key

配置htts /etc/nginx/sites-available/default

server {
	listen       443 ssl;
	listen 	[::]:443 ssl;
	server_name  my.domain.com;

	ssl_certificate /etc/nginx/cert/my.domain.com.cer;
	ssl_certificate_key /etc/nginx/cert/my.domain.com.key;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

server {
	listen 80 default_server;
	listen [::]:80 default_server;

	root /var/www/html;

	# Add index.php to the list if you are using PHP
	index index.html index.htm index.nginx-debian.html;

	server_name my.domain.com;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

最后重新加载nginx配置

systemctl reload nginx

至此结束,可以通过https访问你的网站了。

配置nginx代理服务https->http

server {
	listen       443 ssl;
	listen 	[::]:443 ssl;
	server_name  my.domain.com;

	ssl_certificate /etc/nginx/cert/my.domain.com.cer;
	ssl_certificate_key /etc/nginx/cert/my.domain.com.key;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/cert/my.domain.com.cer;

	location / {
		proxy_pass http://localhost:8103;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Real-PORT $remote_port;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		client_max_body_size 10M;

		proxy_http_version 1.1;
		proxy_set_header Connection "";
	}
}

配置nginx代理服务wss->ws

server {
	listen       443 ssl;
	listen 	[::]:443 ssl;
	server_name  mywss.domain.com;

	ssl_certificate /etc/nginx/cert/mywss.domain.com.cer;
	ssl_certificate_key /etc/nginx/cert/mywss.domain.com.key;

	ssl_protocols TLSv1.2 TLSv1.3;
	ssl_prefer_server_ciphers on;
	ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";

	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/cert/mywss.domain.com.cer;

	location / {
		proxy_pass http://localhost:9948;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Real-PORT $remote_port;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;

		client_max_body_size 10M;

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
	}
}
知识共享许可协议
本站文章采用知识共享署名 4.0 国际许可协议进行许可。

samoyedsun.github.io