145 lines
5.3 KiB
Bash
145 lines
5.3 KiB
Bash
#!/bin/bash
|
|
# SSL 证书修复和 Nginx 配置脚本
|
|
# 修复 SSL 证书路径问题并配置新的子域名
|
|
|
|
echo "========================================"
|
|
echo "修复 SSL 证书和 Nginx 配置"
|
|
echo "========================================"
|
|
|
|
# 1. 检查 SSL 证书状态
|
|
echo "[1/5] 检查 SSL 证书状态..."
|
|
ls -la /etc/letsencrypt/live/ 2>/dev/null || echo "证书目录不存在"
|
|
|
|
# 2. 重新获取证书
|
|
echo "[2/5] 重新获取 SSL 证书..."
|
|
certbot certonly --webroot -w /var/www/html -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top || certbot --nginx -d tksea.top -d www.tksea.top -d api.tksea.top -d gitea.tksea.top -d sub.tksea.top --non-interactive --agree-tos --email admin@tksea.top
|
|
|
|
# 3. 验证证书
|
|
echo "[3/5] 验证证书..."
|
|
certbot certificates
|
|
|
|
# 4. 配置 Nginx
|
|
echo "[4/5] 配置 Nginx..."
|
|
cat > /etc/nginx/sites-available/tksea << 'EOF'
|
|
# HTTP 重定向到 HTTPS
|
|
server {
|
|
listen 80;
|
|
server_name tksea.top www.tksea.top api.tksea.top gitea.tksea.top sub.tksea.top;
|
|
location /.well-known/acme-challenge/ { root /var/www/html; }
|
|
location / { return 301 https://$host$request_uri; }
|
|
}
|
|
|
|
# HTTPS - 主域名 (Gitea)
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name tksea.top www.tksea.top;
|
|
ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# HTTPS - api 子域名 (Sub2API)
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name api.tksea.top;
|
|
ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
underscores_in_headers on;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
|
|
# HTTPS - gitea 子域名 (Gitea)
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name gitea.tksea.top;
|
|
ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:3000;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection "upgrade";
|
|
}
|
|
}
|
|
|
|
# HTTPS - sub 子域名 (Sub2API)
|
|
server {
|
|
listen 443 ssl http2;
|
|
server_name sub.tksea.top;
|
|
ssl_certificate /etc/letsencrypt/live/tksea.top/fullchain.pem;
|
|
ssl_certificate_key /etc/letsencrypt/live/tksea.top/privkey.pem;
|
|
ssl_session_timeout 1d;
|
|
ssl_session_cache shared:SSL:50m;
|
|
ssl_protocols TLSv1.2 TLSv1.3;
|
|
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
|
|
ssl_prefer_server_ciphers off;
|
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
|
underscores_in_headers on;
|
|
|
|
location / {
|
|
proxy_pass http://127.0.0.1:8080;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
}
|
|
}
|
|
EOF
|
|
|
|
# 5. 测试并重载 Nginx
|
|
echo "[5/5] 测试并重载 Nginx..."
|
|
nginx -t && systemctl reload nginx
|
|
|
|
echo ""
|
|
echo "========================================"
|
|
echo "修复完成!"
|
|
echo "========================================"
|
|
echo ""
|
|
echo "现在可以访问:"
|
|
echo " - https://tksea.top (Gitea)"
|
|
echo " - https://gitea.tksea.top (Gitea)"
|
|
echo " - https://api.tksea.top (Sub2API)"
|
|
echo " - https://sub.tksea.top (Sub2API)"
|
|
echo ""
|
|
echo "检查服务状态:"
|
|
echo " docker ps"
|
|
echo " systemctl status nginx"
|
|
echo "========================================" |