{"id":20207290,"url":"https://github.com/furiouspws002/nginx-ssl","last_synced_at":"2025-11-30T12:07:38.411Z","repository":{"id":105227937,"uuid":"159304206","full_name":"FuriousPws002/nginx-ssl","owner":"FuriousPws002","description":"阿里云服务器采用acme.sh配置nginx ssl","archived":false,"fork":false,"pushed_at":"2018-11-27T08:52:23.000Z","size":2,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"master","last_synced_at":"2025-01-13T21:08:27.205Z","etag":null,"topics":["acmesh","letsencrypt","nginx","ssl"],"latest_commit_sha":null,"homepage":null,"language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/FuriousPws002.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2018-11-27T08:49:11.000Z","updated_at":"2024-12-03T00:51:10.000Z","dependencies_parsed_at":null,"dependency_job_id":"52d5678f-ab83-4ae4-bbf8-40b791dc1490","html_url":"https://github.com/FuriousPws002/nginx-ssl","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FuriousPws002%2Fnginx-ssl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FuriousPws002%2Fnginx-ssl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FuriousPws002%2Fnginx-ssl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/FuriousPws002%2Fnginx-ssl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/FuriousPws002","download_url":"https://codeload.github.com/FuriousPws002/nginx-ssl/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":241644566,"owners_count":19996179,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["acmesh","letsencrypt","nginx","ssl"],"created_at":"2024-11-14T05:28:23.652Z","updated_at":"2025-11-30T12:07:33.367Z","avatar_url":"https://github.com/FuriousPws002.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# nginx-ssl\n阿里云服务器采用acme.sh配置nginx ssl\n\n## 先决条件\n+ 阿里云服务器\n+ 域名\n\n## 本机环境\n阿里云服务器使用`centos 7.4`\n\n## 操作步骤\n+ **安装nginx**\n+ **获取阿里云api_key、api_secret**\n+ **安装acme.sh**\n+ **生成域名证书**\n+ **配置nginx ssl**\n\n### 安装nginx  \n安装nginx，参考nginx[安装](http://www.nginx.cn/install \"Markdown\")   \n安装完成后，设置nginx为服务[参考](https://www.nginx.com/resources/wiki/start/topics/examples/systemd/ \"Markdown\")\n\n### 获取阿里云api_key、api_secret\n生成[阿里云api_key](https://ram.console.aliyun.com/ \"Markdown\")   \n可参考[博客](https://frontenddev.org/article/use-acme-sh-deployment-let-s-encrypt-by-ali-cloud-dns-generic-domain-https-authentication.html \"Markdown\")设置key\n\n### 安装acme.sh\n参考文档[安装acme.sh](https://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E \"Markdown\")\n\n### 生成域名证书  \n执行如下命令校验dns\n\n    acme.sh --issue --dns dns_ali -d \u003cdomain\u003e\n其中`\u003cdomain\u003e`为实际域名   \n创建证书路径\n\n     mkdir /etc/nginx/ssl/\u003cdomain\u003e\n复制域名证书\n\n    acme.sh --installcert -d \u003cdomain\u003e \\\n      --key-file /etc/nginx/ssl/\u003cdomain\u003e/\u003cdomain\u003e.key \\\n      --fullchain-file /etc/nginx/ssl/\u003cdomain\u003e/fullchain.cer \\\n      --reloadcmd  \"sudo systemctl reload nginx\"\n若采用`非root`用户安装acme.sh，配置当前用户sudo`免密`，方法如下\n\n    1.添加写权限\n    chmod u+w /etc/sudoers\n    2.编辑/etc/sudoers\n    添加如下一行\n    \u003cuser\u003e ALL=(ALL) NOPASSWD:ALL\n    其中\u003cuser\u003e为实际的用户   \n    3.移除写权限\n    chmod u-w /etc/sudoers\n\n### 配置nginx ssl\n生成DH\n\n    openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048\n创建nginx ssl配置全局文件\n\n    vi /etc/nginx/snippets/ssl.conf\n添加如下配置\n\n    ssl_dhparam /etc/ssl/certs/dhparam.pem;\n    \n    ssl_session_timeout 1d;\n    ssl_session_cache shared:SSL:50m;\n    ssl_session_tickets off;\n\n    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n    ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';\n    ssl_prefer_server_ciphers on;\n    \n    ssl_stapling on;\n    ssl_stapling_verify on;\n    resolver 8.8.8.8 8.8.4.4 valid=300s;\n    resolver_timeout 30s;\n\n    add_header Strict-Transport-Security \"max-age=15768000; includeSubdomains; preload\";\n    add_header X-Frame-Options SAMEORIGIN;\n    add_header X-Content-Type-Options nosniff;\n\n添加nginx读取配置文件的路径\n\n    vi /usr/local/nginx/nginx.conf\n在http 节点下添加如下一行\n\n    include       /etc/nginx/conf.d/*.conf;\n\n创建当前域名配置文件\n\n    mkdir /etc/nginx/conf.d\n    vi /etc/nginx/conf.d/\u003cdomain\u003e.conf\n添加如下内容\n\n    server {\n      listen 80;\n      server_name \u003cdomain\u003e;\n      access_log off;\n      return 301 https://$host$request_uri;\n    }\n    \n    server {\n        listen 443 ssl;\n        server_name \u003cdomain\u003e;\n    \n        ssl_certificate /etc/nginx/ssl/\u003cdomain\u003e/fullchain.cer;\n        ssl_certificate_key /etc/nginx/ssl/\u003cdomain\u003e/\u003cdomain\u003e.key;\n        include /etc/nginx/snippets/ssl.conf;\n    }\n其中`\u003cdomain\u003e`为实际域名\n\n重载nginx配置\n\n    systemctl reload nginx\n到此，完成nginx ssl的配置，可在浏览器访问域名测试是否跳转到`https://\u003cdomain\u003e`\n\n## 参考\nhttp://www.nginx.cn/install   \nhttps://www.nginx.com/resources/wiki/start/topics/examples/systemd/   \nhttps://linuxize.com/post/secure-nginx-with-let-s-encrypt-on-centos-7/   \nhttps://github.com/Neilpang/acme.sh/wiki/%E8%AF%B4%E6%98%8E   \nhttps://ram.console.aliyun.com/   \nhttps://frontenddev.org/article/use-acme-sh-deployment-let-s-encrypt-by-ali-cloud-dns-generic-domain-https-authentication.html","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffuriouspws002%2Fnginx-ssl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ffuriouspws002%2Fnginx-ssl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ffuriouspws002%2Fnginx-ssl/lists"}