我的开源nginx从2025年(1.28, 最低似乎兼容1.22)开始提供ngx_http_acme_module, 现在可以不依赖acme.sh或certbot等工具的情况下使用HTTPS
下面以Debian为例, 使用nginx自带的acme模块进行SSL证书的申请与使用
-
安装nginx及ngx_http_acme_module
参考链接: nginx: Linux packages
1# 安装依赖库 2sudo apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring 3# 导入Key 4curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ 5 | sudo tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null 6# 设置源 7echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ 8https://nginx.org/packages/debian `lsb_release -cs` nginx" \ 9 | sudo tee /etc/apt/sources.list.d/nginx.list 10# 设置优先级 11echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ 12 | sudo tee /etc/apt/preferences.d/99nginx 13sudo apt update 14# 安装nginx 15sudo apt install nginx 16# 安装ngx_http_acme_module 17apt install nginx-module-acme -
配置
参考链接:
nginx.conf配置参考
1# 引入ngx_http_acme_module模块 2load_module modules/ngx_http_acme_module.so; 3 4user nginx; 5worker_processes auto; 6 7error_log /var/log/nginx/error.log notice; 8pid /run/nginx.pid; 9 10events { 11 worker_connections 1024; 12} 13 14http { 15 include /etc/nginx/mime.types; 16 default_type application/octet-stream; 17 18 log_format main '$remote_addr - $remote_user [$time_local] "$request" ' 19 '$status $body_bytes_sent "$http_referer" ' 20 '"$http_user_agent" "$http_x_forwarded_for"'; 21 22 access_log /var/log/nginx/access.log main; 23 24 sendfile on; 25 #tcp_nopush on; 26 27 keepalive_timeout 65; 28 29 #gzip on; 30 # 设置DNS服务器, 这里因为服务器是AWS EC2使用的是AWS EC2专用的DNS服务器, 根据需要可以改为8.8.8.8, 223.5.5.5, 1.1.1.1等 31 resolver 169.254.169.253 valid=300s; 32 33 # intermediate configuration 34 ssl_protocols TLSv1.2 TLSv1.3; 35 ssl_ecdh_curve X25519:prime256v1:secp384r1; 36 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; 37 ssl_prefer_server_ciphers off; 38 39 # see also ssl_session_ticket_key alternative to stateful session cache 40 ssl_session_timeout 1d; 41 ssl_session_cache shared:MozSSL:10m; # about 40000 sessions 42 43 # sudo curl -o /etc/nginx/dhparam.pem https://ssl-config.mozilla.org/ffdhe2048.txt 44 ssl_dhparam /etc/nginx/dhparam.pem; 45 46 # OCSP stapling 47 ssl_stapling on; 48 ssl_stapling_verify on; 49 50 # 配置, Let's Encrypt相对简单 51 acme_issuer letsencrypt { 52 # 指定服务器 53 uri https://acme-v02.api.letsencrypt.org/directory; 54 # 接受服务条款 55 accept_terms_of_service; 56 # 通知邮件 57 contact mailto:xxx@xxx.xxx; 58 # 证书保存路径, 默认位置: /var/cache/nginx/acme_<issuer> 59 # state_path acme_<issuer>; 60 } 61 62 include /etc/nginx/conf.d/*.conf; 63}HTTP配置参考:
1map $http_upgrade $connection_upgrade { 2 default upgrade; 3 '' close; 4} 5 6server { 7 listen 443 ssl; 8 listen [::]:443 ssl; 9 http2 on; 10 11 server_name www.huwenqiang.cn; 12 13 # 这里使用ECC证书, 也可以使用RSA, 改为rsa:2048即可 14 acme_certificate letsencrypt key=ecdsa:256; 15 # 这里证书路径改为ngx_http_acme_module提供的两个变量 16 ssl_certificate $acme_certificate; 17 ssl_certificate_key $acme_certificate_key; 18 ssl_session_tickets off; 19 ssl_certificate_cache max=2; 20 21 # HSTS 22 add_header Strict-Transport-Security "max-age=63072000" always; 23 24 gzip on; 25 gzip_vary on; 26 gzip_proxied any; 27 gzip_comp_level 6; 28 gzip_min_length 1k; 29 gzip_static on; 30 gzip_types text/plain text/css text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; 31 32 location / { 33 proxy_pass http://localhost:8080; 34 proxy_set_header Host $http_host; 35 proxy_set_header X-Real-IP $remote_addr; 36 proxy_http_version 1.1; 37 proxy_set_header Connection ""; 38 proxy_set_header Upgrade $http_upgrade; 39 proxy_set_header Connection $connection_upgrade; 40 } 41 42 #error_page 404 /404.html; 43 44 # redirect server error pages to the static page /50x.html 45 error_page 500 502 503 504 /50x.html; 46 location = /50x.html { 47 root /usr/share/nginx/html; 48 } 49} 50 51server { 52 listen 80; 53 listen [::]:80; 54 server_name www.huwenqiang.cn; 55 return 301 https://www.huwenqiang.cn$request_uri; 56}