雾非雾 - SSL
https://www.941741.xyz/tag/SSL/
-
安装SSL证书后HTTPS解析PHP问题
https://www.941741.xyz/archives/23.html
2022-10-08T10:22:00+08:00
用 acme.sh 申请并安装证书后,用宝塔配置了 Nginx ,代码如下:server {
listen 443 ssl http2;
server_name rj.809022.xyz;
ssl on;
ssl_certificate /www/wwwroot/rj.809022.xyz/rj.809022.xyz.cer; # 证书路径
ssl_certificate_key /www/wwwroot/rj.809022.xyz/rj.809022.xyz.key; # 证书路径
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
root /www/wwwroot/rj.809022.xyz;
index index.html index.htm default.htm default.html;
location / {
try_files $uri $uri/ =404;
}
}
server
{
listen 80;
server_name rj.809022.xyz rj.809022.xyz;
return 301 https://$server_name$request_uri;
index index.php index.html index.htm default.php default.htm default.html;
root /www/wwwroot/rj.809022.xyz;
#SSL-START SSL相关配置,请勿删除或修改下一行带注释的404规则
#error_page 404/404.html;
#SSL-END
#ERROR-PAGE-START 错误页配置,可以注释、删除或修改
#error_page 404 /404.html;
#error_page 502 /502.html;
#ERROR-PAGE-END
#PHP-INFO-START PHP引用配置,可以注释或修改
include enable-php-74.conf;
#PHP-INFO-END
#REWRITE-START URL重写规则引用,修改后将导致面板设置的伪静态规则失效
include /www/server/panel/vhost/rewrite/rj.809022.xyz.conf;
#REWRITE-END
#禁止访问的文件或目录
location ~ ^/(\.user.ini|\.htaccess|\.git|\.svn|\.project|LICENSE|README.md)
{
return 404;
}
#一键申请SSL证书验证目录相关设置
location ~ \.well-known{
allow all;
}
#禁止在证书验证目录放入敏感文件
if ( $uri ~ "^/\.well-known/.*\.(php|jsp|py|js|css|lua|ts|go|zip|tar\.gz|rar|7z|sql|bak)$" ) {
return 403;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
expires 30d;
error_log /dev/null;
access_log /dev/null;
}
location ~ .*\.(js|css)?$
{
expires 12h;
error_log /dev/null;
access_log /dev/null;
}
access_log /www/wwwlogs/rj.809022.xyz.log;
error_log /www/wwwlogs/rj.809022.xyz.error.log;
}上面一段 443 是新加的 SSL 解析;后面 80 端口的监听新加了一句 return 用来监听 HTTP 访问 80 端口时,自动转跳到 HTTPS 的 443 端口;但是配置好重启 Nginx 后(后来发现宝塔的配置实时生效,貌似不用重启 Nginx 了),通过 HTTPS 访问 html 静态网页正常,但是访问 PHP 会自动变成下载。搜索了多种方法都没成功,大部分是要在配置中加入一段 php 的解析:location ~ \.php$ {
try_files $uri =404;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}然而宝塔当前版本下,修改配置文件不起作用;通过上面的调用去查看 enable-php-74.conf 却发现没有修改的必要。卡了好久才反应过来:直接在 443 下调用 enable-php-74.conf 不就行了,毕竟 HTTP 下访问 80 时,PHP 是可以直不这解析的。于是配置文件修改成:server {
listen 443 ssl http2;
server_name rj.809022.xyz;
ssl on;
ssl_certificate /www/wwwroot/809022.xyz/rj.809022.xyz.cer; # 证书路径
ssl_certificate_key /www/wwwroot/809022.xyz/rj.809022.xyz.key; # 证书路径
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
root /www/wwwroot/809022.xyz;
这下终于加上了锁,还算是挺欣慰的。
-
X-UI添加SSL
https://www.941741.xyz/archives/10.html
2022-10-07T12:02:00+08:00
前面讲到了 acme.sh 申请、安装 SSL 证书,这里就不赘述了;证书下来后,针对 X-UI 还要安装一下安装证书文件到 root 目录下acme.sh --installcert -d 你的域名 --key-file /root/private.key --fullchain-file /root/cert.crt如此完成后,则:公钥文件路径:/root/cert.crt密钥文件路径:/root/private.key然后在 X-UI 里设置公钥和密钥生成的链接无法直接导入 Clash 订阅,如果怕麻烦不想自己搭建转换,可访问:https://bianyuan.xyz/转换后再导入 Clash 使用
-
SSL证书的申请
https://www.941741.xyz/archives/8.html
2022-10-07T10:47:00+08:00
昨天折腾了一通,主站的 SSL 搞定了;但是子目录 php 竟然无法运行,只好暂时终止。今天来折腾了一下这个子域名,顺便记录一下申请过程。1、先安装 acme.sh登录 SSH 后,切换到 root 帐号后面的 email 换成自己的邮箱地址curl https://get.acme.sh | sh -s email=申请用的电子邮箱安装完成后,要重启加载一下;或者关闭 SSH 重新登录一下source ~/.bashrc如果想保持 acme.sh 为最新,可开启自动更新acme.sh --upgrade --auto-upgrade2、创建用于存放证书的目录mkdir -p /var/www/letsencrypt3、acme.sh 支持 Let's Encrypt、Buypass、ZeroSSL 和 SSL.com,默认使用 ZeroSSL,切换命令:Let's Encryptacme.sh --set-default-ca --server letsencryptBuypassacme.sh --set-default-ca --server buypassSSL.comacme.sh --set-default-ca --server ssl.comZeroSSLacme.sh --set-default-ca --server zerossl4、配置 Nginx,用 HTTP 来验证证书签发域名、验证目录根据自己需求自定义server {
listen 80;
listen [::]:80;
server_name 自己的域名;
location /.well-known/acme-challenge {
# 自己定义的位置,用于校验服务器所有权
root /www/wwwroot/809022.xyz;
# 自己的网站目录
}
location / {
rewrite ^/(.*)$ https://$host/$1 permanent;
}
}5、申请证书--webroot 申请网站的根目录acme.sh --issue -d 自己的域名 --webroot /www/wwwroot/rj.809022.xyz如果有多个域名,之间用空格隔开;至于是不是支持泛域名,请自己 googleacme.sh --issue -d 域名1 -d 域名2 -w /www/wwwroot/rj.809022.xyz6、申请成功后显示[root@80smus ~]# acme.sh --issue -d rj.809022.xyz --webroot /www/wwwroot/rj.809022.xyz
[Thu Oct 6 16:59:46 CST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Thu Oct 6 16:59:46 CST 2022] Single domain='rj.809022.xyz'
[Thu Oct 6 16:59:46 CST 2022] Getting domain auth token for each domain
[Thu Oct 6 17:00:09 CST 2022] Getting webroot for domain='rj.809022.xyz'
[Thu Oct 6 17:00:09 CST 2022] Verifying: rj.809022.xyz
[Thu Oct 6 17:00:12 CST 2022] Pending, The CA is processing your order, please just wait. (1/30)
[Thu Oct 6 17:00:17 CST 2022] Success
[Thu Oct 6 17:00:17 CST 2022] Verify finished, start to sign.
[Thu Oct 6 17:00:17 CST 2022] Lets finalize the order.
[Thu Oct 6 17:00:17 CST 2022] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/762972326/132022859836'
[Thu Oct 6 17:00:21 CST 2022] Downloading cert.
[Thu Oct 6 17:00:21 CST 2022] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03763b64c7f5f1a8cf1c65c70af0f87700d2'
[Thu Oct 6 17:00:24 CST 2022] Cert success.
-----BEGIN CERTIFICATE-----
这里显示的是密钥
-----END CERTIFICATE-----
[Thu Oct 6 17:00:24 CST 2022] Your cert is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer
[Thu Oct 6 17:00:24 CST 2022] Your cert key is in: /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key
[Thu Oct 6 17:00:24 CST 2022] The intermediate CA cert is in: /root/.acme.sh/rj.809022.xyz/ca.cer
[Thu Oct 6 17:00:24 CST 2022] And the full chain certs is there: /root/.acme.sh/rj.809022.xyz/fullchain.cer7、安装申请到的证书从上面返回的信息判断证书的保存目录在 /root/.acme.sh/rj.809022.xyz/一般不推荐证书放到 root 目录使用,所以新建个目录把证书 cer key 复制过去(或者在网站根目录下建立 cert 目录用于存放:mkdir -p /www/nginx/ssl
cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.cer /www/nginx/ssl/rj.809022.xyz.cer
cp /root/.acme.sh/rj.809022.xyz/rj.809022.xyz.key /www/nginx/ssl/rj.809022.xyz.key听说安卓手机验证可能会有问题,所以运行一下下面的命令acme.sh --installcert -d rj.809022.xyz --keypath /www/nginx/ssl/rj.809022.xyz.key --fullchainpath /www/nginx/ssl/rj.809022.xyz.cer8、重新配置 Nginxserver {
listen 443 ssl http2;
server_name rj.809022.xyz;
ssl on;
ssl_certificate /www/nginx/ssl/rj.809022.xyz.cer; # 证书路径
ssl_certificate_key /www/nginx/ssl/rj.809022.xyz.key; # 证书路径
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
root /www/wwwroot/rj.809022.xyz;
index index.html index.htm;
location / {
try_files $uri $uri/ =404;
}
}
# 强制 http 跳转 https
server {
listen 80;
server_name rj.809022.xyz;
return 301 https://$server_name$request_uri;
}9、重启 Nginx我因为安装了宝塔,所以上面的一些建立目录、复制、包括现在重启服务,都是在宝塔下鼠标点击操作之后重启打开自己的网站就会发现上锁了10、附加一些命令手动更新证书acme.sh --renew -d 这里填写你的域名 --force证书列表acme.sh --list停止更新acme.sh --remove -d 要停止服务的域名