一、简介
本文将介绍,在 Ubuntu 系统上为 Nginx 服务器配置 HTTPS 证书。我们将使用 Let's Encrypt 这一广受欢迎的免费证书颁发机构,获取 SSL/TLS 证书。整个流程的核心是 Certbot 工具,通过它自动为域名申请 Let's Encrypt 证书。最后修改 Nginx 的配置文件,进行添加 HTTPS 的支持。
二、安装 certbot
打开终端,执行下面命令,即可完成 certbot 工具的安装。安装完成后,可以使用 version 参数进行验证。
bash
# 安装 certbot
sudo apt update # 非必要,根据自己的需求来
sudo apt install certbot
# 验证安装
sudo certbot --version三、获取证书
获取证书(确保域名 xxxx.yourdomain.com 已解析到服务器),停止占用 80 端口服务(如:Nginx/Apache )。打开终端,执行下面命令,即可即可获取到 xxxx.yourdomain.com 的证书。
bash
sudo certbot certonly --standalone -d xxxx.yourdomain.com --email youremail@163.com --agree-tos --non-interactive获取的证书将存储在 /etc/letsencrypt/live/xxxx.yourdomain.com 目录下,可以通过下面命令进行查看。
bash
sudo ls -la /etc/letsencrypt/live/xxxx.yourdomain.com/证书有效期:90天;证书类型:仅 DV;推荐续期频率:每60-75天自动续期;续期次数:无限制
四、配置 nginx.cfg
打开 nginx.cfg 配置文件,重点在 # HTTPS 服务器 这行注释下面的 server {...} 其他的,相对简单,可以自行了解。
bash
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log notice;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
# HTTP2 全局配置(新增)
http2 on;
# 代理通用配置
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
# 缓冲区配置
proxy_buffering on;
proxy_buffer_size 16k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
include /etc/nginx/conf.d/*.conf;
upstream xxxx_graphql_dev {
server 127.0.0.1:8089;
}
upstream portainer_backend {
server 127.0.0.1:9000;
}
# HTTP 服务器
server {
listen 80;
server_name xxxx.yourdomain.com;
location / {
proxy_pass http://diageo_graphql_dev;
proxy_pass_request_headers on;
proxy_redirect off;
}
}
# HTTPS 服务器
server {
listen 443 ssl;
server_name xxxx.yourdomain.com;
# HTTP2 配置(在 listen 指令后使用 http2 参数)
# listen 443 ssl http2;
# SSL 证书配置
ssl_certificate /etc/letsencrypt/live/xxxx.yourdomain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/xxxx.yourdomain.com/privkey.pem;
# SSL 安全配置
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
# 由于证书缺少 OCSP 响应,注释掉 OCSP Stapling 配置
# ssl_stapling on;
# ssl_stapling_verify on;
# resolver 8.8.8.8 8.8.4.4 valid=300s;
# resolver_timeout 5s;
location /portainer/ {
proxy_pass http://portainer_backend/;
proxy_pass_request_headers on;
proxy_redirect off;
# 确保 WebSocket 在 HTTPS 下正常工作
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location = /portainer {
return 301 https://$host/portainer/;
}
location / {
proxy_pass http://xxxx_graphql_dev;
proxy_pass_request_headers on;
proxy_redirect off;
}
}
}