本文参考自:
https://techcat.me/archives/300 https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/
目标:在同一台VPS部署Google&Wikipedia
环境:Ubuntu 16.04(14.04亦可)
需要:VPS一台(我用的搬瓦工)、域名
准备:
Google反代的域名(ex:g.www.isway.cn)
Wiki反代的三个域名(ex:wiki.www.isway.cn,m.wiki.www.isway.cn,up.wiki.www.isway.cn)
添加以上4个域名的DNS解析到VPS服务器
SSH工具
一、先解决SSL证书
1、Let’s Encrypt提供了一个很好的免费证书,我们用官方的Certbot工具来自动部署
wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto
2、直接安装它,过程中会要求下载很多组件。由于服务器没有Web服务,安装完成后会有红字提示,不用管。
./certbot-auto
3、确认DNS解析生效后,开始申请证书
./certbot-auto certonly
4、提示使用何种方式验证域名所有权,选择第一个standalone方式,certbot 会自己运行一个 web server 来进行验证。
How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
5、第一次会要求你输入电子邮件。
Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel):xxx@gmail.com 同意相应条款。 Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: a 是否允许给你邮箱发送邮件,我选择拒绝。 Would you be willing to share your email address with the Electronic Frontier Foundation, a founding partner of the Let's Encrypt project and the non-profit organization that develops Certbot? We'd like to send you email about EFF and our work to encrypt the web, protect its users and defend digital rights. ------------------------------------------------------------------------------- (Y)es/(N)o: n
6、输入要申请SSL的域名(也就是上面4个,一个一个来)
Please enter in your domain name(s) (comma and/or space separated) (Enter 'c' to cancel):g.www.isway.cn 提示申请成功 Obtaining a new certificate Performing the following challenges: tls-sni-01 challenge for g.www.isway.cn Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/g.www.isway.cn/fullchain.pem. Your cert will expire on 2017-09-19. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal. - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
7、参照上面的方式,反复运行第三步,直到将4个域名的SSL都申请下来
8、检查申请的SSL证书,看到4个域名的文件夹,就证明成功了
ls /etc/letsencrypt/live/ root@fuhm:~# ls /etc/letsencrypt/live/ g.www.isway.cn m.wiki.www.isway.cn up.wiki.www.isway.cn wiki.www.isway.cn root@fuhm:~# ls /etc/letsencrypt/live/g.www.isway.cn/ README cert.pem chain.pem fullchain.pem privkey.pem
9、SSL手动更新(自动更新还在测试)
root@fuhm:~# service nginx stop root@fuhm:~# ./certbot-auto renew root@fuhm:~# service nginx start
二、配置Google反向代理
参考http://www.isway.cn/?p=321
1、去掉第四部分的第1-3步骤
2、第四部分第4步的google.conf文件中的
ssl_certificate /root/ssl/example.com.crt; ssl_certificate_key /root/ssl/example.com.key;
修改为(自行替换域名)
ssl_certificate /etc/letsencrypt/live/g.www.isway.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/g.www.isway.cn/privkey.pem;
3、检查 Nginx 配置,直接运行 nginx -t 如果输出如下提示,则一切正常
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful
4、重启服务,先试试Google反代是否OK了
service nginx restart
三、配置Wiki反向代理
1、在google.conf相同的目录下新建wiki.conf文件,内容如下(自行替换域名):
vi /etc/nginx/sites-enabled/wiki.conf server { server_name wiki.www.isway.cn; listen 80; rewrite ^/(.*) https://$server_name/$1 permanent; } server { server_name wiki.www.isway.cn; listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/wiki.www.isway.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/wiki.www.isway.cn/privkey.pem; location / { proxy_pass https://zh.wikipedia.org; proxy_cookie_domain zh.wikipedia.org wiki.www.isway.cn; proxy_redirect https://zh.wikipedia.org/ /; proxy_redirect https://zh.m.wikipedia.org/ https://m.wiki.www.isway.cn/; proxy_set_header X-Real_IP $remote_addr; proxy_set_header User-Agent $http_user_agent; proxy_set_header Accept-Encoding ''; proxy_set_header referer "https://zh.wikipedia.org$request_uri"; } location https://zh.m.wikipedia.org/{ rewrite ^/(.*) https://m.wiki.www.isway.cn/$1 permanent; } } server { server_name m.wiki.www.isway.cn; listen 80; rewrite ^/(.*) https://$server_name/$1 permanent; } server { server_name m.wiki.www.isway.cn; listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/m.wiki.www.isway.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/m.wiki.www.isway.cn/privkey.pem; location / { proxy_pass https://zh.m.wikipedia.org; proxy_redirect https://zh.m.wikipedia.org/ /; proxy_cookie_domain zh.m.wikipedia.org m.wiki.www.isway.cn; proxy_set_header X-Real_IP $remote_addr; proxy_set_header User-Agent $http_user_agent; proxy_set_header Accept-Encoding ''; proxy_set_header referer "https://zh.m.wikipedia.org$request_uri"; } } server { server_name up.wiki.www.isway.cn; listen 80; rewrite ^/(.*) https://$server_name/$1 permanent; } server { server_name up.wiki.www.isway.cn; listen 443 ssl http2; ssl on; ssl_certificate /etc/letsencrypt/live/up.wiki.www.isway.cn/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/up.wiki.www.isway.cn/privkey.pem; location / { proxy_pass https://upload.wikimedia.org; proxy_cookie_domain upload.wikimedia.org up.wiki.www.isway.cn; proxy_set_header X-Real_IP $remote_addr; proxy_set_header User-Agent $http_user_agent; proxy_set_header referer "https://upload.wikimedia.org$request_uri"; } }
2、检查使用nginx -t检查Nginx 配置,没有报错就重启nginx服务,然后访问是否OK
service nginx restart
【完】