搞了大半夜终于搞定A+评分

2022-11-3

前情：

发现还是没有自动更新seafile的https证书，弄了半天也没解决报的错误。然后试了试官方的openssl生成证书的方法，倒是可以成功，但是浏览器会提示证书无效。还是重新搞一下acme.sh吧，搞了很久，终于搞定，现在，和之前的区别，在于，评分上到A+了。而且测试了强制更新证书，是可以更新的。

强制更新命令：

~/.acme.sh/acme.sh --renew -d drive.scarsong.com --force

1	~/.acme.sh/acme.sh --renew -d drive.scarsong.com --force

而且，把这个网站的配置文件，相应的部分也复制到里面。这样如果三个月后，还无法自动更新，那就太奇怪了。拭目以待吧。

现状：

现在的配置如下：

路径：/etc/nginx/sites-enabled/seafile.conf

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {
    listen 80;
    server_name drive.scarsong.com;
	return 301 https://$server_name$request_uri;
}
server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/drive.scarsong.com.crt;        #cacert.pem 
    ssl_certificate_key /etc/nginx/ssl/drvie.scarsong.com.key;	#privkey.pem 
    server_name drive.scarsong.com;
	ssl_session_timeout 5m;
    ssl_session_cache shared:SSL:5m;
add_header Strict-Transport-Security "max-age=31536000";
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
    #ssl_dhparam /etc/nginx/dhparam.pem;
#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
    # secure settings (A+ at SSL Labs ssltest at time of writing)
    # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx
    #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本
    # 如果nginx版本低，建议使用这种加密算法配置
    #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
    ssl_ecdh_curve secp384r1;
    ssl_prefer_server_ciphers on;
    #ssl_session_cache shared:SSL:10m;
    #ssl_session_timeout 10m;
    ssl_session_tickets off;
    keepalive_timeout 70;
    proxy_set_header X-Forwarded-For $remote_addr;
    location / {
         proxy_pass         http://127.0.0.1:8000;
         proxy_set_header   Host $host;
         proxy_set_header   X-Real-IP $remote_addr;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_set_header   X-Forwarded-Host $server_name;
         proxy_set_header   X-Forwarded-Proto $scheme;
         proxy_read_timeout  1200s;

         # used for view/edit office file via Office Online Server
         client_max_body_size 0;

         access_log      /var/log/nginx/seahub.access.log seafileformat;
         error_log       /var/log/nginx/seahub.error.log;
    }

    location /seafhttp {
         rewrite ^/seafhttp(.*)$ $1 break;
         proxy_pass http://127.0.0.1:8082;
         client_max_body_size 0;
         proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
         proxy_connect_timeout  36000s;
         proxy_read_timeout  36000s;

        access_log      /var/log/nginx/seafhttp.access.log seafileformat;
        error_log       /var/log/nginx/seafhttp.error.log;
    }
    location /media {
        root /opt/seafile/seafile-server-latest/seahub;
    }
    location /seafdav {
        proxy_pass         http://127.0.0.1:8080/seafdav;
        proxy_set_header   Host $host;
        proxy_set_header   X-Real-IP $remote_addr;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Host $server_name;
        proxy_set_header   X-Forwarded-Proto $scheme;
        proxy_read_timeout  1200s;

        client_max_body_size 0;

        access_log      /var/log/nginx/seafdav.access.log seafileformat;
        error_log       /var/log/nginx/seafdav.error.log;
    }
	#location ~ [^/]\.php(/|$) {
	#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
#}
}

log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time';

server {

listen 80;

server_name drive.scarsong.com;

return 301 https://$server_name$request_uri;

}

server {

listen 443 ssl;

ssl_certificate /etc/nginx/ssl/drive.scarsong.com.crt; #cacert.pem

ssl_certificate_key /etc/nginx/ssl/drvie.scarsong.com.key; #privkey.pem

server_name drive.scarsong.com;

ssl_session_timeout 5m;

ssl_session_cache shared:SSL:5m;

add_header Strict-Transport-Security "max-age=31536000";

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits

#ssl_dhparam /etc/nginx/dhparam.pem;

#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

# secure settings (A+ at SSL Labs ssltest at time of writing)

# see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx

#ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本

# 如果nginx版本低，建议使用这种加密算法配置

#ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;

ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1;

ssl_prefer_server_ciphers on;

#ssl_session_cache shared:SSL:10m;

#ssl_session_timeout 10m;

ssl_session_tickets off;

keepalive_timeout 70;

proxy_set_header X-Forwarded-For $remote_addr;

location / {

proxy_pass http://127.0.0.1:8000;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $server_name;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_read_timeout 1200s;

# used for view/edit office file via Office Online Server

client_max_body_size 0;

access_log /var/log/nginx/seahub.access.log seafileformat;

error_log /var/log/nginx/seahub.error.log;

}

location /seafhttp {

rewrite ^/seafhttp(.*)$ $1 break;

proxy_pass http://127.0.0.1:8082;

client_max_body_size 0;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_connect_timeout 36000s;

proxy_read_timeout 36000s;

access_log /var/log/nginx/seafhttp.access.log seafileformat;

error_log /var/log/nginx/seafhttp.error.log;

}

location /media {

root /opt/seafile/seafile-server-latest/seahub;

}

location /seafdav {

proxy_pass http://127.0.0.1:8080/seafdav;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $server_name;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_read_timeout 1200s;

client_max_body_size 0;

access_log /var/log/nginx/seafdav.access.log seafileformat;

error_log /var/log/nginx/seafdav.error.log;

}

#location ~ [^/]\.php(/|$) {

#add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";

}

nginx重新加载命令：

nginx -s reload

1	nginx -s reload

nginx重启命令：

systemctl restart sshd.service

1	systemctl restart sshd.service

THE END

打赏

二维码

海报

发表评论

评论列表

赶快来坐沙发