下载源码
wget http://nginx.org/download/nginx-1.16.1.tar.gz
安装依赖
#PCRE
wget https://ftp.pcre.org/pub/pcre/pcre-8.43.tar.gz
#OpenSSL
wget https://www.openssl.org/source/openssl-1.0.2t.tar.gz
#zlib
wget http://www.zlib.net/zlib-1.2.11.tar.gz
复制代码
编译安装
#解压之后
nginx-1.16.1 pcre-8.43 openssl-1.0.2t zlib-1.2.11
#预编译
./configure --prefix=/usr/local/nginx --with-http_ssl_module --with-zlib=../zlib-1.2.11 --with-pcre=../pcre-8.43 --with-openssl=../openssl-1.0.2t
#编译
make
#安装
make install
复制代码
启动
/usr/local/nginx/sbin/nginx
复制代码
利用acem.sh生成证书
安装acem.sh
curl https://get.acme.sh | sh
进入当前用户下的~/.acme.sh目录
cd /root/.acme.sh && ll
total 320
-rw-r--r-- 1 root root 440 Jul 13 11:10 account.conf
-rwxr-xr-x 1 root root 205958 Jul 13 10:48 acme.sh
-rw-r--r-- 1 root root 78 Jul 13 10:48 acme.sh.csh
-rw-r--r-- 1 root root 78 Jul 13 10:48 acme.sh.env
-rw-r--r-- 1 root root 76798 Jul 13 11:10 acme.sh.log
drwxr-xr-x 3 root root 4096 Jul 13 10:52 ca
drwxr-xr-x 2 root root 4096 Jul 13 10:48 deploy
drwxr-xr-x 2 root root 4096 Jul 13 10:48 dnsapi
-rw-r--r-- 1 root root 383 Jul 13 11:10 http.header
drwxr-xr-x 2 root root 4096 Jul 13 10:48 notify
复制代码
如果使用zerossl 服务,先注册账号
acme.sh --register-account -m xxxxx@xx.com --server zerossl
阿里DNS解析
export Ali_Key="asdasdsdasdasd"
export Ali_Secret="asdasdsdasdasdasdasd"
./acme.sh --issue --dns dns_ali -d domian.com -d *.domian.com --server zerossl
复制代码
cloudflare DNS 解析
export CF_Key="asdasdsdasdasdasdasd"
export CF_Email="xxxxx@dd.com"
./acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com --server zerossl
复制代码
生成好之后,会有提示信息,并且有证书的保存位置
nginx https配置
server {
listen 443 ssl;
server_name domain.com;
ssl_certificate /root/.acme.sh/domain.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/domain.com/domain.com.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://127.0.0.1:9000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Cookie $http_cookie;
client_max_body_size 1024M;
proxy_connect_timeout 60;
proxy_send_timeout 600;
proxy_read_timeout 600;
proxy_buffer_size 64k;
proxy_buffers 16 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
# http 转https
server {
listen 80;
server_name demo.domain.com;
rewrite ^(.*)$ https://$host$1 permanent;
}
复制代码
访问
https://domain.com
更新
/root/.acme.sh/acme.sh --cron --home /root/.acme.sh --force
或者
./acme.sh --issue --dns dns_cf -d domain.com -d *.domain.com --server zerossl --force
证书的有效期为3个月,到期之后执行上面脚本进行更新,也可以添加脚本到系统的定时任务里面,定时执行。
近期评论