由于各种不想让自已的网站内容被GFW等抓取(有几篇扶墙介绍内容),以及显得自已网站高大上等,现决定采用SSL加密网站数据.
因为我采用了apache做后端,前段为NGINX.所以采用了最简单的方式:在nginx端加上SSL反代apache内容,然后再用nginx的文本内容替换功能,把所有的https:// 更换为https:// ,所以先就这样尝试了.
一:首先,购买SSL证书
这个其实可以用免费的,比如:https://letsencrypt.org/ 简单介绍如何产生证书.
1 2 3 4 5 6 |
cd /usr/local/sbin wget https://dl.eff.org/certbot-auto chmod a+x /usr/local/sbin/certbot-auto git clone https://github.com/letsencrypt/letsencrypt cd letsencrypt ./letsencrypt-auto certonly --manual -d justchen.com www.justchen.comm |
然后同意条款,没有问题的话应该就会生成证书等在/etc/letsencrypt/目录下
注意:需要先停止占用80及443端口的应用程序
二:配置nginx
首先需要安装nginx的subs_filter扩展
1 |
apt-get install nginx-extras |
然后修改nginx配置文件
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
server { listen 443 ssl; server_name justchen.com www.justchen.com; ssl_certificate /etc/letsencrypt/live/justchen.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/justchen.com/privkey.pem; location / { sub_filter_once off; proxy_set_header Accept-Encoding ""; subs_filter_types text/html text/css text/xml; #将https://justchen.com 替换为 https 省得在wordpress中配置 subs_filter https://justchen.com https://justchen.com; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header Host $host; proxy_pass https://172.245.112.115:80; proxy_set_header SSL '1'; proxy_redirect https:// https://; proxy_redirect off; } access_log off; } server { listen 80; server_name justchen.com www.justchen.com; #把所有非https全部301重定向到 https return 301 https://$host$request_uri; } |
这样说基本上完成了