acme证书申请脚本、Nginx反代、Caddy证书申请、反代教程
这里我提供两种方案,分别是acme+nginx 或 caddy
acme是一个域名证书申请脚本,自带域名证书续签功能,而nginx是一个比较出名的反代工具,可以安装宝塔使用或者单独安装使用
而caddy是自带了证书申请、续签、反代的一个工具,而且配置更简单,我个人推荐使用这个
先更新组件,无论你选择ac+ng还是caddy,都需要先更新组件
apt update -y
apt install -y curl
apt install -y socatacme+nginx版:
安装acme脚本,申请ssl证书
#安装命令
curl https://get.acme.sh | sh
# 80端口空闲证书申请
~/.acme.sh/acme.sh --register-account -m ********* # *替换成自己的邮箱
# 两个命令二选一,看你自己的服务器ip,是走v4还是走v6,如果没有v6,默认走v4就行了
~/.acme.sh/acme.sh --issue -d ********* --standalone # *替换自己的域名,这是ipv4的命令
~/.acme.sh/acme.sh --issue -d ********* --standalone --listen-v6 # *替换自己的域名,这是ipv6的命令
# 部分老旧系统可能会出现报错 PLease install socat tools first.
# 需要安装socat工具,然后重新跑v4或者v6的证书申请命令,socat安装命令
apt-get install socat
# 如果申请不过去,切换申请机构
# 切换 Let’s Encrypt:
acme.sh --set-default-ca --server letsencrypt
# 切换 Buypass:
acme.sh --set-default-ca --server buypass
# 切换 ZeroSSL:
acme.sh --set-default-ca --server zerossl
# 安装证书和密钥到指定目录,*替换自己的域名
~/.acme.sh/acme.sh --installcert -d ********* --key-file /root/private.key --fullchain-file /root/cert.crt
自行安装nginx或者宝塔破解版,在nginx中写入以下代码:
server {
listen 443 ssl;
server_name *******; # *号替换你的域名
client_max_body_size 100M;
ssl_certificate ******; # *号替换你的证书路径
ssl_certificate_key /root/certs ********; # *号替换你的密钥路径
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:8096;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
proxy_buffering off;
}
location = /web/ {
proxy_pass http://127.0.0.1:8096/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
location /socket {
proxy_pass http://127.0.0.1:8096;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
}caddy版:
# 安装caddy
Check if caddy is already installed
if ! command -v caddy &> /dev/null; then
# If caddy is not installed, proceed with the installation process
sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg
curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | sudo tee /etc/apt/sources.list.d/caddy-stable.list
sudo apt update
sudo apt install caddy
else
echo "Caddy完成安装!"
fi修改/etc/caddy/Caddyfile文件
{
# 全局配置区域
email [email protected] # 用于Let's Encrypt证书通知的邮箱,改你的邮箱
acme_ca https://acme-staging-v02.api.letsencrypt.org/directory # 使用Let's Encrypt的Staging环境测试配置,成功后改为生产环境,这段需要删除
# acme_ca https://acme-v02.api.letsencrypt.org/directory # 生产环境
}
# 服务静态文件
:80 {
root * /usr/share/caddy
file_server
# 日志配置
log {
output file /var/log/caddy/access.log {
roll_size 100mb
roll_keep 5
roll_keep_for 720h
}
level ERROR
}
# 错误处理
handle_errors {
@404 {
expression {http.error.status_code} == 404
}
rewrite @404 /404.html
file_server
}
# 压缩配置
encode gzip zstd
# 静态文件的缓存策略
@static {
file
path *.html *.css *.js *.png *.jpg *.jpeg *.gif *.webp *.svg *.json
}
header @static Cache-Control max-age=5184000
# 安全性头部配置
header {
X-XSS-Protection "1; mode=block"
X-Frame-Options "DENY"
X-Content-Type-Options "nosniff"
Content-Security-Policy "upgrade-insecure-requests"
Strict-Transport-Security "max-age=31536000;"
}
}
# 反向代理配置
# 配置第一个域名,domain1.com, www.domain1.com 改自己的域名
domain1.com, www.domain1.com {
reverse_proxy localhost:49771 # 你需要反代的端口,比如jellyfin的是8090就写8090
log {
output file /var/log/caddy/domain1.log {
roll_size 50mb
roll_keep 10
roll_keep_for 480h
}
level INFO
}
tls [email protected]
}
# 配置第二个域名
domain2.com, www.domain2.com {
reverse_proxy localhost:49772
log {
output file /var/log/caddy/domain2.log {
roll_size 50mb
roll_keep 10
roll_keep_for 480h
}
level INFO
}
tls [email protected]
}
# 以此类推,可以为更多的域名添加配置块...加载配置并重启caddy
sudo systemctl daemon-reload
sudo systemctl restart caddy.service
sudo systemctl status caddy.service至此,你已经完成证书的申请,续签,反代的所有操作,你只需要在浏览器访问你的域名,查看是否在域名旁边带有一把锁,显示证书有效,并且连接安全
本文链接:
/archives/1699814318271
版权声明:
本站所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自
Reynolds' Blog!
喜欢就支持一下吧
