Tim*_*imo 5 javascript ssl nginx node.js greenlock
我正在尝试设置greenlock-express来运行nginx代理.
这是我的nginx配置
...
# redirect
server {
listen 80;
listen [::]:80;
server_name mydomain.com;
location / {
return 301 https://$server_name$request_uri;
}
}
# serve
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name mydomain.com;
# SSL settings
ssl on;
ssl_certificate C:/path/to/mydomain.com/fullchain.pem;
ssl_certificate_key C:/path/to/mydomain.com/privkey.pem;
# enable session resumption to improve https performance
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 1d;
ssl_session_tickets off;
# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;
# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers chosen for forward secrecy and compatibility
ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
# enable OCSP stapling (mechanism by which a site can convey certificate revocation information to visitors in a privacy-preserving, scalable manner)
resolver 8.8.8.8 8.8.4.4;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate C:/path/to/mydomain.com/chain.pem;
# config to enable HSTS(HTTP Strict Transport Security) https://developer.mozilla.org/en-US/docs/Security/HTTP_Strict_Transport_Security
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# added to make handshake take less resources
keepalive_timeout 70;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass https://127.0.0.1:3001/;
proxy_redirect off;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
...
我有节点服务器在端口3000(http)和端口3001(https)上运行.其他一切似乎都有效,但证书不会更新并在3个月后过期.
如果我关闭了nginx并在端口80(http)和端口443(https)上运行了节点服务器,那么它会更新证书.
我确保将.well-known/acme-challenge其转发到节点服务器,即当我转到url时,http(s)://mydomain.com/.well-known/acme-challenge/randomstr我得到以下响应:
{
"error": {
"message": "Error: These aren't the tokens you're looking for. Move along."
}
}
您看到的错误是,当将令牌放入您的
\n\nwebroot/.well-known/acme-challenge/token
\n\n然后 Let\xe2\x80\x99s Encrypt 尝试从互联网验证这一点。访问http://yourdomain/.well-known/acme-challenge/token会出现 404 错误 - 找不到页面。我无法确定为什么它会得到\xe2\x80\x99s 404。如果您自己将文件放在那里,可以通过互联网访问它吗?
\n\n如果您想知道有几种自动更新 SSL 的方法,而无需重新启动 nginx。大多数 nginx 用户似乎更喜欢的是 webroot 插件:首先,使用以下命令获取新证书:
\n\ncertbot certonly --webroot -w /path/to/your/webroot -d example.com --post-hook="service nginx reload"\n然后设置一个 cron 作业certbot每天运行 renew 一次或两次;它只会在实际更新证书时运行后挂钩。--pre-hook如果您想停下nginx来运行,也可以使用标志certbot标志。
还有\xe2\x80\x99s 还有一个完整的 nginx 插件,你可以使用它激活--nginx. 它\xe2\x80\x99s 仍在测试中,因此请自行承担实验风险并报告任何错误。
没有10post-hook标志将负责重新加载 nginx 上传更新您的证书
| 归档时间: |
|
| 查看次数: |
486 次 |
| 最近记录: |