Nginx SSL反向代理
反代部分参考:http://027886.xyz/archives/358
apt-get -y install git
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto certonly –standalone –email admin@xxx.com -d xxx.com
./certbot-auto certonly –standalone –email admin@xxx.com -d xxx.com
在完成Let’s Encrypt证书的生成之后,我们会在”/etc/letsencrypt/live/xxx.com/”域名目录下有4个文件就是生成的密钥证书文件。
cert.pem – Apache服务器端证书
chain.pem – Apache根证书和中继证书
fullchain.pem – Nginx所需要ssl_certificate文件
privkey.pem – 安全证书KEY文件
Let’s Encrypt证书是有效期90天的
30 2 * * 1 ./letsencrypt-auto certonly –renew-by-default –email admin@xxx.com -d xxx.com
示例:
server {
listen 80;
server_name xxx.com;
rewrite ^(.*) https://$server_name$1 permanent;
}
server {
listen 443 ssl;
server_name xxx.com; #绑定域名
ssl on;
ssl_certificate /etc/letsencrypt/live/xxx.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxx.com/privkey.pem;
location / {
#添加开始
#subs_filter_types text/html text/css text/xml;
subs_filter yyy.com xxx.com gi;
proxy_cache cache_one;
proxy_cache_valid 200 304 3h;
proxy_cache_valid 301 3d;
proxy_cache_valid any 10s;
proxy_pass https://yyy.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Accept-Encoding "";#特别重要
#添加结束
}
}
wget http://www.openssl.org/source/openssl-1.0.1e.tar.gz
tar zxvf openssl-1.0.1e.tar.gz
cd /root/nginx-1.2.8
./configure –user=www –group=www –prefix=/usr/local/nginx –with-http_stub_status_module –with-http_ssl_module –with-http_gzip_static_module –with-ipv6 –with-http_sub_module –add-module=/root/ngx_http_substitutions_filter_module –with-openssl=/root/openssl-1.0.1e –with-openssl-opt=”enable-tlsext”
确认已经开启 TLS SNI
nginx -V
apt install net-tools
netstat -lntp
查看是不是被其他软件占用了 80 端口
停止 Apache2
service apache2 stop
kill -9 $(ps -ef|grep “apache2″|grep -v “grep”|awk ‘{print $2}’)
取消开机自启动,仅限 Debian/Ubuntu 系统
update-rc.d -f apache2 remove
卸载 Apache2
apt-get remove –purge apache2
