搞了大半夜终于搞定A+评分
前情:
发现还是没有自动更新seafile的https证书,弄了半天也没解决报的错误。然后试了试官方的openssl生成证书的方法,倒是可以成功,但是浏览器会提示证书无效。还是重新搞一下acme.sh吧,搞了很久,终于搞定,现在,和之前的区别,在于,评分上到A+了。而且测试了强制更新证书,是可以更新的。
强制更新命令:
|
1 |
~/.acme.sh/acme.sh --renew -d drive.scarsong.com --force |
而且,把这个网站的配置文件,相应的部分也复制到里面。这样如果三个月后,还无法自动更新,那就太奇怪了。拭目以待吧。
现状:
现在的配置如下:
路径:/etc/nginx/sites-enabled/seafile.conf
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 |
log_format seafileformat '$http_x_forwarded_for $remote_addr [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" $upstream_response_time'; server { listen 80; server_name drive.scarsong.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/drive.scarsong.com.crt; #cacert.pem ssl_certificate_key /etc/nginx/ssl/drvie.scarsong.com.key; #privkey.pem server_name drive.scarsong.com; ssl_session_timeout 5m; ssl_session_cache shared:SSL:5m; add_header Strict-Transport-Security "max-age=31536000"; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits #ssl_dhparam /etc/nginx/dhparam.pem; #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; # secure settings (A+ at SSL Labs ssltest at time of writing) # see https://wiki.mozilla.org/Security/Server_Side_TLS#Nginx #ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本 # 如果nginx版本低,建议使用这种加密算法配置 #ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3; # TLSv1.3需要nginx 1.13.0以上版本 ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_ecdh_curve secp384r1; ssl_prefer_server_ciphers on; #ssl_session_cache shared:SSL:10m; #ssl_session_timeout 10m; ssl_session_tickets off; keepalive_timeout 70; proxy_set_header X-Forwarded-For $remote_addr; location / { proxy_pass http://127.0.0.1:8000; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 1200s; # used for view/edit office file via Office Online Server client_max_body_size 0; access_log /var/log/nginx/seahub.access.log seafileformat; error_log /var/log/nginx/seahub.error.log; } location /seafhttp { rewrite ^/seafhttp(.*)$ $1 break; proxy_pass http://127.0.0.1:8082; client_max_body_size 0; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_connect_timeout 36000s; proxy_read_timeout 36000s; access_log /var/log/nginx/seafhttp.access.log seafileformat; error_log /var/log/nginx/seafhttp.error.log; } location /media { root /opt/seafile/seafile-server-latest/seahub; } location /seafdav { proxy_pass http://127.0.0.1:8080/seafdav; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 1200s; client_max_body_size 0; access_log /var/log/nginx/seafdav.access.log seafileformat; error_log /var/log/nginx/seafdav.error.log; } #location ~ [^/]\.php(/|$) { #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"; #} } |
nginx重新加载命令:
|
1 |
nginx -s reload |
nginx重启命令:
|
1 |
systemctl restart sshd.service |
THE END
