基于acme一键部署为https

By SR.李 On 2023-08-11

基于acme一键部署为https

准备一个80端口的nginx文件

位于： /usr/local/nginx/conf/vhost/default

server
    {
        listen 80 default_server reuseport;
        server_name _;

        #error_page   404   /404.html;

        # Deny access to PHP files in specific directory
        #location ~ /(wp-content|uploads|wp-includes|images)/.*\.php$ { deny all; }

        access_log  /home/wwwlogs/default.access.log;

        ignore_invalid_headers off;
        client_max_body_size 0;
        proxy_buffering off;
        proxy_request_buffering off;

        location / {
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-NginX-Proxy true;

           proxy_connect_timeout 300;

           # websocket
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";

           chunked_transfer_encoding off;

           proxy_pass http://127.0.0.1:8080/;

        }

    }

准备一个443端口的nginx文件

位于： /usr/local/nginx/conf/vhost/defaults

server
    {
        listen 80;
        server_name defaults;
        rewrite ^(.*) https://$server_name$1 permanent;
    }
server
    {
        listen 443 ssl;
        server_name defaults;
        #error_page   404   /404.html;

        access_log  /home/wwwlogs/defaults.access.log;

        ssl_certificate   /root/.acme.sh/defaults_ecc/defaults.cer;
        ssl_certificate_key  /root/.acme.sh/defaults_ecc/defaults.key;
        ssl_session_timeout 5m;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers on;

        ignore_invalid_headers off;
        client_max_body_size 0;
        proxy_buffering off;
        proxy_request_buffering off;

        location / {
           proxy_set_header Host $http_host;
           proxy_set_header X-Real-IP $remote_addr;
           proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
           proxy_set_header X-Forwarded-Proto $scheme;
           proxy_set_header X-NginX-Proxy true;

           proxy_connect_timeout 300;

           # websocket
           proxy_http_version 1.1;
           proxy_set_header Upgrade $http_upgrade;
           proxy_set_header Connection "upgrade";

           chunked_transfer_encoding off;

           proxy_pass http://127.0.0.1:8080/;

        }

    }

准备一个脚本

#!/bin/bash

read -p "请输入需要增加的证书的域名： " domain


cp -f /usr/local/nginx/conf/vhost/default /usr/local/nginx/conf/vhost/${domain}.conf

sed -i "s:server_name _;:server_name ${domain};:g" /usr/local/nginx/conf/vhost/${domain}.conf
sed -i "s:80 default_server reuseport:80:g" /usr/local/nginx/conf/vhost/${domain}.conf

service nginx reload


/root/.acme.sh/acme.sh --issue --nginx /usr/local/nginx/conf/nginx.conf -d ${domain}


cp -f /usr/local/nginx/conf/vhost/defaults /usr/local/nginx/conf/vhost/${domain}.conf

sed -i "s:defaults:${domain}:g" /usr/local/nginx/conf/vhost/${domain}.conf


service nginx reload

« Previous Post: acme部署

Next Post: ipvsadm学习 »