安装
1
2
3
| sudo apt update
sudo apt install nginx -y
sudo nginx -t
|
配置SSL证书
我从阿里云购买域名,以下步骤均以阿里云为基础,使用python虚拟环境安装certbot和对应的阿里云插件
1
2
3
4
5
6
| sudo apt update
sudo apt install python3-venv libaugeas0 -y
sudo python3 -m venv /opt/certbot
sudo /opt/certbot/bin/pip install --upgrade pip
sudo /opt/certbot/bin/pip install certbot certbot-dns-aliyun
sudo ln -sf /opt/certbot/bin/certbot /usr/local/bin/certbot
|
进入阿里云的RAM访问控制,新建用户,新增权限AliyunDNSFullAccess,创建AccessKey,记录id和secret,创建并写入配置文件
1
2
3
4
5
6
| sudo mkdir -p /etc/letsencrypt
sudo vim /etc/letsencrypt/aliyun.ini
dns_aliyun_access_key = 你的AccessKey ID
dns_aliyun_access_key_secret = 你的AccessKey Secret
sudo chmod 600 /etc/letsencrypt/aliyun.ini
|
申请通配符证书
1
2
3
4
5
6
7
8
| sudo certbot certonly \
--authenticator dns-aliyun \
--dns-aliyun-credentials /etc/letsencrypt/aliyun.ini \
-d "djj45.cn" \
-d "*.djj45.cn" \
--non-interactive \
--agree-tos \
-m mail@xxx.com
|
配置定时任务自动更新证书
1
2
3
| sudo crontab -e
0 3 * * * /usr/local/bin/certbot renew --quiet --deploy-hook "sudo systemctl reload nginx"
sudo crontab -l
|
常用命令
1
2
3
4
| sudo nginx -t
sudo service nginx start
sudo service nginx stop
sudo service nginx restart
|
常用路径
1
| cd /etc/nginx/sites-enabled
|
删除默认配置
把nginx的默认欢迎页删掉
1
2
3
4
5
| sudo service nginx stop
cd /etc/nginx/sites-enabled/
sudo rm default
sudo nginx -t
sudo service nginx start
|
nginx配置文件
1
2
| cd /etc/nginx/sites-enabled/
sudo vim djj45.cn
|
新建配置文件,填入以下内容
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
| server {
listen 80 default_server;
server_name _;
return 444;
}
server {
listen 443 ssl http2 default_server;
server_name _;
ssl_reject_handshake on;
return 444;
}
server {
listen 80;
server_name djj45.cn;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2;
server_name djj45.cn;
ssl_certificate /etc/letsencrypt/live/djj45.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/djj45.cn/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256';
ssl_prefer_server_ciphers on;
location / {
root /var/www/html/public;
index index.html;
}
access_log /var/log/nginx/djj45.cn_access.log;
error_log /var/log/nginx/djj45.cn_error.log;
}
|
新建另外一个配置文件,写入以下内容
1
2
| cd /etc/nginx/sites-enabled/
sudo vim openclaw
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
|
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
upstream openclaw_backend {
server 127.0.0.1:18789;
keepalive 64;
}
server {
listen 80;
server_name openclaw.djj45.cn;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl http2;
server_name openclaw.djj45.cn;
ssl_certificate /etc/letsencrypt/live/djj45.cn/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/djj45.cn/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
client_max_body_size 100M;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http://openclaw_backend;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_buffering off;
proxy_cache off;
}
access_log /var/log/nginx/openclaw.djj45.cn_access.log;
error_log /var/log/nginx/openclaw.djj45.cn_error.log;
}
|
我配置了两个服务,在阿里云域名解析了djj45.cn和openclaw.djj45.cn,域名解析部分就不展开了,配置完成后
1
2
| sudo nginx -t
sudo service nginx restart
|