skip to content
Jiaxin的仓库
Table of Contents

如果自己部署服务器,并且域名没有绑定CF的前提下,想要使用泛域名SSL证书,就需要不定期的手动续期。

这里推荐使用acme.sh脚本来配置证书,根据官方的介绍,应该是可以自动实现脚本自动续期的。

如有需要可以去GitHub仓库查看详情.

这里使用DNSPOD作为例子并且搭配1Panel使用。其他的云服务商,应该道理类似。

1. 安装脚本

Terminal window
curl https://get.acme.sh | sh -s [email protected]
Terminal window
git clone https://gitee.com/neilpang/acme.sh.git
cd acme.sh
./acme.sh --install -m [email protected]

安装完成之后,需要alias一个任务

Terminal window
alias acme.sh=~/.acme.sh/acme.sh

2. 获取dnspod token

然后将获取的token写入到系统

export DP_Id=""
export DP_Key=""

3. issue证书

acme.sh   --issue   --dns dns_dp   -d aa.com  -d *.aa.com

这个过程会将证书自动绑定到dnspod 然后让脚本自动走,最后的时候屏幕会返回你的证书和证书所在的路径。

4. 安装到nginx

将生成的证书,安装到指定的证书路径。

Terminal window
acme.sh --install-cert -d 'aa.com' \
--key-file       /opt/1panel/apps/openresty/openresty/conf/conf.d/cert/wild/aa.com.key  \
--fullchain-file /opt/1panel/apps/openresty/openresty/conf/conf.d/cert/wild/aa.com.cer \
--reloadcmd     "docker restart 1Panel-openresty-TVvr"

5. 创建反代文件

然后在反代文件的目录中,增加全站的ssl的.conf

server_tokens   off;


ssl_session_cache        shared:SSL:10m;
ssl_session_timeout      60m;


ssl_session_tickets      on;


ssl_stapling             on;
ssl_stapling_verify      on;


resolver                 8.8.4.4 8.8.8.8  valid=300s;
resolver_timeout         10s;
ssl_prefer_server_ciphers on;


# 证书路径 绝对地址
ssl_certificate          /youdata/ssl/nginx/fullchain.cer;
ssl_certificate_key      /youdata/ssl/nginx/yourdomain.key;


ssl_protocols            TLSv1 TLSv1.1 TLSv1.2;


ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";


add_header Strict-Transport-Security "max-age=31536000;includeSubDomains;preload";
add_header  X-Frame-Options  deny;
add_header  X-Content-Type-Options  nosniff;
add_header x-xss-protection "1; mode=block";
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob: https:; connect-src 'self' https:; img-src 'self' data: https: blob:; style-src 'unsafe-inline' https:; font-src https:";

然后在其他的网页反代文件中,直接include 泛域名的文件就可以了。

例如:

server {
    listen 80;
    server_name www.aa.com;


    # Redirect all HTTP requests to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}


server {
    listen 443 ssl;
    server_name www.aa.com;
    include /usr/local/openresty/nginx/conf/conf.d/ssl.conf;


    client_max_body_size 90G; # Adjust based on your needs


    location / {
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_connect_timeout 300;


        chunked_transfer_encoding off;
        proxy_pass http://localhost:8888;
    }
}