介绍
蝉鸣CRM 是一个全新的软件开发框架。
说明
Debain12安装SSL:使用框架Let's Encrypt (Certbot)
安装Certbot
- 更新源
bash
sudo apt update -y- 安装Certbot
bash
sudo apt install certbot python3-certbot-nginx -y- 获取 SSL 证书
bash
#Certbot 会自动:
#验证域名所有权(通过 HTTP-01 挑战)
#从 Let's Encrypt 获取证书
#修改 Nginx 配置以启用 HTTPS
#设置自动重定向 HTTP → HTTPS
sudo certbot --nginx -d example.com -d www.example.com- 验证证书自动续期
bash
#Let's Encrypt 证书有效期为 90 天,Certbot 会自动续期
sudo certbot renew --dry-run- 防火墙放行 HTTPS
bash
sudo ufw allow 'Nginx Full' # 允许 HTTP(80)和 HTTPS(443)
sudo ufw delete allow 'Nginx HTTP' # 可选:移除仅 HTTP 的规则- 验证安装
bash
curl -I https://example.com- 当前证书包含的域名
bash
#1
sudo certbot certificates
#2
sudo openssl x509 -in /etc/letsencrypt/live/example.com/cert.pem -noout -text | grep DNS- 新增域名
bash
#1直接扩展现有证书
sudo certbot --nginx -d example.com -d www.example.com -d sub.example.com -d newdomain.com
#2单独为新域名创建证书
sudo certbot --nginx -d newdomain.com -d www.newdomain.com
#需要重新执行自动续约
sudo certbot renew --dry-run- 启动失败错误日志
bash
sudo journalctl -u certbot增加安全性
#!!!标记提示
bash
#最高级配置
sudo vim /etc/nginx/nginx.conf
#建议个人自定义配置在/conf.d文件下新建配置
cd /etc/nginx/conf.d
sudo vim demo.conf
#示例
server {
server_name www.example.com;
location / {
root /demo;
index index.html index.htm;
try_files $uri $uri/ /index.html;
}
# API接口转发
location ^~/api/{
proxy_pass http://127.0.0.1:8080/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header REMOTE-HOST $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
add_header 'Access-Control-Allow-Origin' '$http_origin';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
#!!!
#HSTS 增强安全:添加以下响应头强制浏览器使用 HTTPS
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
#!!!
#增加安全性
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256...";
#优化:启用 ssl_session_cache 和 ssl_session_tickets 可以减少 TLS 握手开销
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 1d;
}
server {
if ($host = crm..com) {
return 301 https://$host$request_uri;
} # managed by Certbot
listen 80;
server_name www.example.com;
return 404; # managed by Certbot
}