本文参考自:

https://techcat.me/archives/300
https://linuxstory.org/deploy-lets-encrypt-ssl-certificate-with-certbot/

目标:在同一台VPS部署Google&Wikipedia
环境:Ubuntu 16.04(14.04亦可)
需要:VPS一台(我用的搬瓦工)、域名
准备:
Google反代的域名(ex:g.www.isway.cn)
Wiki反代的三个域名(ex:wiki.www.isway.cn,m.wiki.www.isway.cn,up.wiki.www.isway.cn)
添加以上4个域名的DNS解析到VPS服务器
SSH工具


一、先解决SSL证书
1、Let’s Encrypt提供了一个很好的免费证书,我们用官方的Certbot工具来自动部署

wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto

2、直接安装它,过程中会要求下载很多组件。由于服务器没有Web服务,安装完成后会有红字提示,不用管。

./certbot-auto

3、确认DNS解析生效后,开始申请证书

./certbot-auto certonly

4、提示使用何种方式验证域名所有权,选择第一个standalone方式,certbot 会自己运行一个 web server 来进行验证。

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Spin up a temporary webserver (standalone)
2: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

5、第一次会要求你输入电子邮件。

Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel):xxx@gmail.com
同意相应条款。
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a
是否允许给你邮箱发送邮件,我选择拒绝。
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n

6、输入要申请SSL的域名(也就是上面4个,一个一个来)

Please enter in your domain name(s) (comma and/or space separated) (Enter 'c'
to cancel):g.www.isway.cn
提示申请成功
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for g.www.isway.cn
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/g.www.isway.cn/fullchain.pem. Your cert will
expire on 2017-09-19. To obtain a new or tweaked version of this
certificate in the future, simply run certbot-auto again. To
non-interactively renew *all* of your certificates, run
"certbot-auto renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

7、参照上面的方式,反复运行第三步,直到将4个域名的SSL都申请下来
8、检查申请的SSL证书,看到4个域名的文件夹,就证明成功了

ls /etc/letsencrypt/live/
root@fuhm:~# ls /etc/letsencrypt/live/
g.www.isway.cn m.wiki.www.isway.cn up.wiki.www.isway.cn wiki.www.isway.cn
root@fuhm:~# ls /etc/letsencrypt/live/g.www.isway.cn/
README cert.pem chain.pem fullchain.pem privkey.pem

9、SSL手动更新(自动更新还在测试)

root@fuhm:~# service nginx stop
root@fuhm:~# ./certbot-auto renew
root@fuhm:~# service nginx start

二、配置Google反向代理
参考http://www.isway.cn/?p=321
1、去掉第四部分的第1-3步骤
2、第四部分第4步的google.conf文件中的

ssl_certificate /root/ssl/example.com.crt;
ssl_certificate_key /root/ssl/example.com.key;

修改为(自行替换域名)

ssl_certificate /etc/letsencrypt/live/g.www.isway.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/g.www.isway.cn/privkey.pem;

3、检查 Nginx 配置,直接运行 nginx -t 如果输出如下提示,则一切正常

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

4、重启服务,先试试Google反代是否OK了

service nginx restart

三、配置Wiki反向代理
1、在google.conf相同的目录下新建wiki.conf文件,内容如下(自行替换域名):

vi /etc/nginx/sites-enabled/wiki.conf
server {
server_name wiki.www.isway.cn;
listen 80;
rewrite ^/(.*) https://$server_name/$1 permanent;
}
server {
server_name wiki.www.isway.cn;
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/wiki.www.isway.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/wiki.www.isway.cn/privkey.pem;
location / {
proxy_pass https://zh.wikipedia.org;
proxy_cookie_domain zh.wikipedia.org wiki.www.isway.cn;
proxy_redirect https://zh.wikipedia.org/ /;
proxy_redirect https://zh.m.wikipedia.org/ https://m.wiki.www.isway.cn/;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Encoding '';
proxy_set_header referer "https://zh.wikipedia.org$request_uri";
}
location https://zh.m.wikipedia.org/{
rewrite ^/(.*) https://m.wiki.www.isway.cn/$1 permanent;
}
}
server {
server_name m.wiki.www.isway.cn;
listen 80;
rewrite ^/(.*) https://$server_name/$1 permanent;
}
server {
server_name m.wiki.www.isway.cn;
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/m.wiki.www.isway.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/m.wiki.www.isway.cn/privkey.pem;
location / {
proxy_pass https://zh.m.wikipedia.org;
proxy_redirect https://zh.m.wikipedia.org/ /;
proxy_cookie_domain zh.m.wikipedia.org m.wiki.www.isway.cn;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header Accept-Encoding '';
proxy_set_header referer "https://zh.m.wikipedia.org$request_uri";
}
}
server {
server_name up.wiki.www.isway.cn;
listen 80;
rewrite ^/(.*) https://$server_name/$1 permanent;
}
server {
server_name up.wiki.www.isway.cn;
listen 443 ssl http2;
ssl on;
ssl_certificate /etc/letsencrypt/live/up.wiki.www.isway.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/up.wiki.www.isway.cn/privkey.pem;
location / {
proxy_pass https://upload.wikimedia.org;
proxy_cookie_domain upload.wikimedia.org up.wiki.www.isway.cn;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header User-Agent $http_user_agent;
proxy_set_header referer "https://upload.wikimedia.org$request_uri";
}
}

2、检查使用nginx -t检查Nginx 配置,没有报错就重启nginx服务,然后访问是否OK

service nginx restart

【完】