Nginx + Lets'encrypt 實現HTTPS訪問七牛空間資源

上一篇文章 爲七牛雲存儲空間綁定自定義域名，並使用七牛雲提供的免費SSL證書，將自定義加名升級爲HTTPS 咱們提到利用七牛的免費SSL證書，將自定義加名升級爲HTTPS的方法。

不知道有沒有小夥伴會像我同樣擔憂一年七牛的SSL證書難免費了怎麼辦？每一個域名每一年都要幾千塊的支出對於我的和小企業來講仍是一筆不小的數目。

若是綁定七牛雲空間的域名能使用 lets‘encrypt 等這類免費的網址那麼就完美了。
然而七牛目前並不支持 lets'encrypt 這類短時間的免費證書。

下面我教你們一種利用 Nginx + lets'encrypt 實現以https的方式訪問七牛資源的方法。

1、準備工做

1. 首先聲明，使用這種方法至關於主動放棄了七牛雲存儲的CDN優點，只適合訪問量不高的我的和小公司。
2. 要有一個域名。
3. 七牛雲空間應該已經綁定了自定義的域名，不懂如何綁定的請查看前一篇文章。筆者綁定的域名是 md.ws65535.top。
4. 有一臺帶公網IP的Linux服務器。筆者服務器IP爲 54.191.48.61，Linux環境爲 ubuntu14.04。其餘發行版原理相同，只不過軟件安裝方式和目錄結構略有不一樣。

2、安裝 Nginx

1. 安裝nginx

ubuntu@ip-172-31-27-111:~$ sudo apt-get install nginx

2. 查看nginx版本

ubuntu@ip-172-31-27-111:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)

3. 啓動nginx

ubuntu@ip-172-31-27-111:~$ sudo service nginx start

ubuntu@ip-172-31-27-111:~$ ss -tln
State      Recv-Q Send-Q               Local Address:Port                 Peer Address:Port
LISTEN     0      128                              *:80                    *:*
LISTEN     0      128                              *:22                    *:*
LISTEN     0      128                             :::80                    :::*
LISTEN     0      128                             :::22                    :::*

4. 查看nginx是否安裝成功

ubuntu@ip-172-31-27-111:~$ curl http://54.191.48.61
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

3、配置Nginx反向代理，將全部訪問 qiniu-ssl.ws65535.top 的請求所有轉發到 md.ws65535.top

1. sudo vim /etc/nginx/sites-enabled/qiniu-ssl

server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }
}

編輯完成後使用 nginx -s reload 從新載入Nginx配置文件。

2. 登陸域名服務商（這裏以阿里云爲例）的控制檯，添加域名解析。

記錄類型爲 A，主機記錄爲 qiniu-ssl.ws65535.top，服務器IP爲 54.191.48.61

3. 此時能夠使用 qiniu-ssl.ws65535.top 替換 md.ws65535.top 來訪問七牛空間資源

例如
http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
能夠訪問到下面的資源
http://md.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg

4、安裝 HTTPS 證書 【參考】

此處只記錄ubuntu14.04安裝方法

1. 安裝 Certbot

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx

2. 安裝HTTPS證書

$ sudo certbot --nginx

實例

ubuntu@ip-172-31-27-111:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: agency.ws65535.xyz
2: qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2 #此處選擇將 qiniu-ssl.ws65535.top 設爲https
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qiniu-ssl.ws65535.top
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/qiniu-ssl

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 #是否強制將http方式訪問的請求跳轉到以HTTPS方式訪問
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/qiniu-ssl

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://qiniu-ssl.ws65535.top

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem
   Your cert will expire on 2018-11-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

3. 此時再查看 配置文件 /etc/nginx/sites-enabled/qiniu-ssl，已經被 certbot 作了修改

ubuntu@ip-172-31-27-111:~$ cat /etc/nginx/sites-enabled/qiniu-ssl
server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = qiniu-ssl.ws65535.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name qiniu-ssl.ws65535.top;
    listen 80;
    return 404; # managed by Certbot
}

4. 此時再使用 http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg 訪問七牛雲空間的資源，會被強制跳轉到 https://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg

5. 因爲 letsencrypt 提供的SSL證書有效期爲90天，因此要添加定時任務按期更新證書

• sudo vim /etc/crontab

# 每個月自動更新ssl證書
19 3 1 * * root /usr/bin/certbot renew --dry-run