Nginx + Lets'encrypt 實現HTTPS訪問七牛空間資源
阿新 • • 發佈:2018-11-19
上一篇文章 為七牛雲端儲存空間繫結自定義域名,並使用七牛雲提供的免費SSL證書,將自定義加名升級為HTTPS 我們提到利用七牛的免費SSL證書,將自定義加名升級為HTTPS的方法。
不知道有沒有小夥伴會像我一樣擔心一年七牛的SSL證書不免費了怎麼辦?每個域名每年都要幾千塊的支出對於個人和小企業來說還是一筆不小的數目。
如果繫結七牛雲空間的域名能使用 lets‘encrypt 等這類免費的網址那麼就完美了。
然而七牛目前並不支援 lets'encrypt 這類短期的免費證書。
下面我教大家一種利用 Nginx + lets'encrypt 實現以https的方式訪問七牛資源的方法。
一、準備工作
- 首先宣告,使用這種方法相當於主動放棄了七牛雲端儲存的CDN優勢,只適合訪問量不高的個人和小公司。
- 要有一個域名。
- 七牛雲空間應該已經綁定了自定義的域名,不懂如何繫結的請檢視前一篇文章。筆者繫結的域名是 md.ws65535.top。
- 有一臺帶公網IP的Linux伺服器。筆者伺服器IP為 54.191.48.61,Linux環境為 ubuntu14.04。其他發行版原理相同,只不過軟體安裝方式和目錄結構略有不同。
二、安裝 Nginx
1. 安裝nginx
[email protected]:~$ sudo apt-get install nginx2. 檢視nginx版本
[email protected]:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)3. 啟動nginx
[email protected]:~$ sudo service nginx start [email protected]2-31-27-111:~$ ss -tln State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:80 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::80 :::* LISTEN 0 128 :::22 :::*
4. 檢視nginx是否安裝成功
[email protected]:~$ curl http://54.191.48.61
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>三、配置Nginx反向代理,將所有訪問 qiniu-ssl.ws65535.top 的請求全部轉發到 md.ws65535.top
1. sudo vim /etc/nginx/sites-enabled/qiniu-ssl
server {
server_name qiniu-ssl.ws65535.top;
location / {
proxy_pass http://md.ws65535.top;
}
}編輯完成後使用 nginx -s reload 重新載入Nginx配置檔案。
2. 登入域名服務商(這裡以阿里云為例)的控制檯,新增域名解析。
記錄型別為 A,主機記錄為 qiniu-ssl.ws65535.top,伺服器IP為 54.191.48.61
3. 此時可以使用 qiniu-ssl.ws65535.top 替換 md.ws65535.top 來訪問七牛空間資源
例如http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
可以訪問到下面的資源http://md.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
四、安裝 HTTPS 證書 【參考】
此處只記錄ubuntu14.04安裝方法
1. 安裝 Certbot
$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 2. 安裝HTTPS證書
$ sudo certbot --nginx例項
[email protected]:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: agency.ws65535.xyz
2: qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 #此處選擇將 qiniu-ssl.ws65535.top 設為https
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qiniu-ssl.ws65535.top
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/qiniu-ssl
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 #是否強制將http方式訪問的請求跳轉到以HTTPS方式訪問
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/qiniu-ssl
-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://qiniu-ssl.ws65535.top
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem
Your cert will expire on 2018-11-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
3. 此時再檢視 配置檔案 /etc/nginx/sites-enabled/qiniu-ssl,已經被 certbot 做了修改
[email protected]:~$ cat /etc/nginx/sites-enabled/qiniu-ssl
server {
server_name qiniu-ssl.ws65535.top;
location / {
proxy_pass http://md.ws65535.top;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
if ($host = qiniu-ssl.ws65535.top) {
return 301 https://$host$request_uri;
} # managed by Certbot
server_name qiniu-ssl.ws65535.top;
listen 80;
return 404; # managed by Certbot
}4. 此時再使用 http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg 訪問七牛雲空間的資源,會被強制跳轉到 https://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
原文地址:https://segmentfault.com/a/1190000015921213