Reno Blog
注册账户
点击这里 注册账户,ZeroSSL 免费计划支持3个90天证书
填写域名
登入后点击 New Certificate,在 Enter Domain 填写IP地址后点击 Next Step →
选择证书
勾选 90-Day Certificate 后点击 Next Step →
附加服务
保持默认点击 Next Step →
生成CSR
保持默认点击 Next Step →
选择计划
选择 Free 点击 Next Step →
TXT验证
下载验证文件
点击 Download Auth File 下载TXT验证文件
Nginx 初始化
通过终端 SSH 连接到服务器,切换到超级管理员
sudo -i
防火墙开放 80 端口
ufw allow 80
ufw reload
安装 nginx
apt update
apt upgrade
apt install nginx
查看nginx默认root目录并替换 localhost 为IP地址
vi /etc/nginx/conf.d/default.conf
修改后检查 nginx 配置后重启
nginx -t
systemctl restart nginx
浏览器访问ip地址,配置正常会出现 Welcome to Nginx
添加验证
终端进入nginx默认root目录,这里以 /usr/share/nginx/html 为例
cd /usr/share/nginx/html
mkdir -p .well-known/pki-validation
将TXT验证文件通过sftp工具放到创建的目录下,或如下新建粘贴TXT验证文件内容,请根据具体TXT验证文件修改
vi /usr/share/nginx/html/.well-known/pki-validation/CE5B471B8D0BB43BBCD1F6ABA4F30B0F.txt
完成验证
浏览器访问 http://IP地址/.well-known/pki-validation/CE5B471B8D0BB43BBCD1F6ABA4F30B0F.txt ,配置成功会显示TXT验证文件内容
回到 ZeroSSL 页面,点击 Next Step 后点击 Verify Domain 完成验证
下载证书
然后点击 Download Certificate (.zip)
安装证书
终端进入证书目录,这里以 /etc/nginx/ssl/1.1.1.1 为例
cd /etc/nginx/ssl/1.1.1.1
unzip 1.1.1.1.zip
rm -f 1.1.1.1.zip
Nginx 配置
这里的配置为简化版本,如果有多项目需求,建议参考官方文档区分主从配置
备份默认配置
mv /etc/nginx/conf.d/default.conf /etc/nginx/conf.d/default.conf.example
cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.example
修改 nginx.conf
nginx.conf 配置示例如下,请自行替换 1.1.1.1 为真实IP地址,并修改 3000 端口为真实服务端口
user www-data;
worker_processes auto;
pid /run/nginx.pid;
worker_rlimit_nofile 4096;
events {
worker_connections 1024;
use epoll;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 30;
types_hash_max_size 1024;
client_max_body_size 128m;
server_tokens off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log off;
error_log /var/log/nginx/error.log;
gzip off;
gzip_comp_level 5;
gzip_vary on;
gzip_proxied any;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
gzip_min_length 1024;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:5m;
ssl_session_timeout 10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
open_file_cache max=500 inactive=10s;
open_file_cache_valid 20s;
open_file_cache_min_uses 1;
open_file_cache_errors on;
# server {
# listen 80;
# server_name 1.1.1.1;
# return 301 https://$host$request_uri;
# }
server {
listen 443 ssl;
http2 on;
server_name 1.1.1.1;
ssl_certificate /etc/nginx/ssl/1.1.1.1/certificate.crt;
ssl_certificate_key /etc/nginx/ssl/1.1.1.1/private.key;
ssl_trusted_certificate /etc/nginx/ssl/1.1.1.1/ca_bundle.crt;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
location / {
proxy_pass http://localhost:3000;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection 'upgrade';
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering on;
proxy_buffer_size 64k;
proxy_buffers 4 128k;
proxy_busy_buffers_size 128k;
proxy_connect_timeout 30s;
proxy_send_timeout 30s;
proxy_read_timeout 30s;
}
}
}
修改完成,验证配置后重启
nginx -t
systemctl restart nginx
然后访问 https://1.1.1.1 就可以正常访问站点了,因为缓存生效可能需要时间,可以稍待或用无痕模式访问