Nginx+ACME服务器搭建

Nginx安装

Ubuntu系统

1
sudo apt install nginx -y

ACME安装

1
2
3
4
5
6
# 下载仓库到本地
git clone https://github.com/acmesh-official/acme.sh.git

# 手动安装
cd acme.sh
./acme.sh --install -m lusyoe@163.com

ACME DNS自动验证(阿里云)

访问阿里云RAM控制台:https://ram.console.aliyun.com/users

创建子用户,勾选使用永久AccessKey访问

image.png

复制保存AccessKeyID和AccessKeySecret

image.png

修改用户权限

进入用户详情—>权限管理—>新增权限

image.png

搜索DNS,勾选以上两个权限:AliyunHTTPDNSFullAccess、AliyunDNSFullAccess

设置环境变量

1
2
3
4
export Ali_Key="<你的Ali_Key>"
export Ali_Secret="<你的Ali_Secret>"

source ~/.bashrc

修改默认 CA(可选)

acme.sh 脚本默认 CA 服务器是 ZeroSSL,有时可能会导致获取证书的时候一直出现:Pending,The CA is processing your order,please just wait.

只需要把 CA 服务器改成 Let's Encrypt 即可,虽然更改以后还是有概率出现 pending,但基本 2-3 次即可成功

1
acme.sh --set-default-ca --server letsencrypt

自动验证DNS并生成证书

1
2
3
cd acme.sh

./acme.sh --issue --dns dns_ali -d lusyoe.com -d *.lusyoe.com

安装ACME证书(Nginx)

1
2
3
4
5
6
7
8
# 创建证书目录
mkdir -p /etc/nginx/ssl

# 复制安装证书
./acme.sh --installcert -d lusyoe.com  \
 --key-file /etc/nginx/ssl/lusyoe.com.key \
 --fullchain-file /etc/nginx/ssl/fullchain.cer \
 --reloadcmd "systemctl restart nginx"

Nginx配置

编辑配置文件:

vim /etc/nginx/sites-available/default

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# 1. 处理 HTTP 请求(80端口),强制跳转到 HTTPS + 非www
server {
    listen 80;
    listen [::]:80;
    server_name lusyoe.com www.lusyoe.com;
    return 301 https://lusyoe.com$request_uri;
}

# 2. 处理 HTTPS 的 www 请求,重定向到非www
server {
    listen 443 ssl;
    server_name www.lusyoe.com;

    # SSL 证书路径(需替换为实际路径)
    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/lusyoe.com.key;
 
    # 重定向到非www的HTTPS版本
    return 301 https://lusyoe.com$request_uri;
}

# 3. 主配置:处理 HTTPS + 非www 的请求
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name lusyoe.com;
    location / {
        proxy_pass http://127.0.0.1:3000;
        proxy_redirect off;
        # 保证获取到真实IP
        proxy_set_header X-Real-IP $remote_addr;
        # 真实端口号
        proxy_set_header X-Real-Port $remote_port;
        # X-Forwarded-For 是一个 HTTP 扩展头部。
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        # 在多级代理的情况下,记录每次代理之前的客户端真实ip 
        proxy_set_header HTTP_X_FORWARDED_FOR $remote_addr;
        # 获取到真实协议
        proxy_set_header X-Forwarded-Proto $scheme;
        # 真实主机名
        proxy_set_header Host $host;
        # 设置变量
        proxy_set_header X-NginX-Proxy true;
        # 开启 brotli
        proxy_set_header Accept-Encoding "";
    }   
 
 
 
    # 日志
    log_format main '$remote_addr - $host - $remote_user [$time_local] "$request" '
                 '$request_time $request_length '
                 '$status $body_bytes_sent "$http_referer" '
                 '"$http_user_agent"';
    access_log /var/log/nginx/access.log main;
    error_log /var/log/nginx/error.log error;
 
    # 证书
    ssl_certificate /etc/nginx/ssl/fullchain.cer;
    ssl_certificate_key /etc/nginx/ssl/lusyoe.com.key;
 
    # curl https://ssl-config.mozilla.org/ffdhe2048.txt > /etc/nginx/ssl/dhparam
    ssl_dhparam /etc/nginx/ssl/dhparam;
 
    # HSTS (ngx_http_headers_module is required) (63072000 seconds)
    add_header Strict-Transport-Security "max-age=63072000" always;
 
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;
 
    # verify chain of trust of OCSP response using Root CA and Intermediate certs
    ssl_trusted_certificate  /etc/nginx/ssl/fullchain.cer;
    
    resolver dns21.hichina.com dns22.hichina.com valid=300s;
    resolver_timeout 5s;
}