BotFlow

Entrance to AI

0%

逃离Vercel - Next.js应用自托管(https证书篇)

Posted on Edited on

前言

在上一篇文章逃离Vercel - Next.js应用自托管(https证书)中,我们已经介绍了如何在服务器上部署Next.js应用,这里我们介绍如何加上HTTPS证书

准备工作

  • 一台服务器(服务器可以在腾讯云、阿里云、DigitalOcean上购买),我这里买的是DigitalOcean的每月6$
  • nginx:用于反向代理,以CentOS为例,yum install nginx,其他系统可以自行google,不再赘述
  • 已参考上一篇文章完成HTTP域名配置,即通过http可访问域名

安装acme.sh

acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书。

以下方式任选其一即可

在线安装

1
2
3
curl https://get.acme.sh | sh -s [email protected]
# 
wget -O -  https://get.acme.sh | sh -s [email protected]

从git安装

1
2
3
git clone https://github.com/acmesh-official/acme.sh.git
cd ./acme.sh
./acme.sh --install -m [email protected]

安装后运行acme.sh -h如果出现类似提示说明安装成功

1
2
3
4
https://github.com/acmesh-official/acme.sh
v3.0.8
Usage: acme.sh <command> ... [parameters ...]
...

生成证书

申请证书(申请时会测试域名配置,所以前一步必须填写正确)

1
2
# 默认为zerossl
acme.sh --issue -d www.dir2ai.com --nginx --server letsencrypt

正常运行会返回如下提示

1
2
3
4
5
6
7
8
[Sat Jun  1 13:36:34 UTC 2024] Cert success.
-----BEGIN CERTIFICATE-----
xxxxxxxxx
-----END CERTIFICATE-----
[Sat Jun  1 13:36:34 UTC 2024] Your cert is in: /root/.acme.sh/www.dir2ai.com_ecc/www.dir2ai.com.cer
[Sat Jun  1 13:36:34 UTC 2024] Your cert key is in: /root/.acme.sh/www.dir2ai.com_ecc/www.dir2ai.com.key
[Sat Jun  1 13:36:34 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/www.dir2ai.com_ecc/ca.cer
[Sat Jun  1 13:36:34 UTC 2024] And the full chain certs is there: /root/.acme.sh/www.dir2ai.com_ecc/fullchain.cer

安装证书

为了方便管理,创建了一个专用文件夹用于存储https证书相关文件

1
2
3
4
5
6
DOMAIN=dir2ai
mkdir -p /root/repo/www/${DOMAIN}/
acme.sh --install-cert -d www.${DOMAIN}.com \
--key-file       /root/repo/www/${DOMAIN}/cert.key \
--fullchain-file /root/repo/www/${DOMAIN}/cert.fullchain \
--reloadcmd "service nginx force-reload"

nginx典型配置如下,修改server_name和ssl配置文件路径

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
server {
    listen 80;
    listen 443 ssl;
    server_name dir2ai.com;
    ssl_certificate /root/repo/www/dir2ai/cert.fullchain;
    ssl_certificate_key /root/repo/www/dir2ai/cert.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    return 301 https://www.dir2ai.com$request_uri;
}

server {
    listen 80;
    server_name www.dir2ai.com;
    return 301 https://www.dir2ai.com$request_uri;
}

server {
    listen 443 ssl;
    server_name www.dir2ai.com;
    ssl_certificate /root/repo/www/dir2ai/cert.fullchain;
    ssl_certificate_key /root/repo/www/dir2ai/cert.key;
    ssl_session_timeout 5m;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;
    # 根据实际情况看是否注释
    # add_header 'Access-Control-Allow-Origin' '*';
    location / {
        # 如果单机运行多个,需要按需进行端口适配修改
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';
        proxy_set_header Host $host;
        proxy_cache_bypass $http_upgrade;
    }
}

常见问题

遇到ERR_TOO_MANY_REDIRECTS错误


如果使用CloudFlare,遇到如下错误

1
2
3
This page isn’t workingwww.qa-go.com redirected you too many times.
Try deleting your cookies.
ERR_TOO_MANY_REDIRECTS

在SSL/TLS->Overview,将模式从Flexible切换至Full

小结

好了,至此自托管的主题介绍了如何在服务器部署实现Vercel的自动CI/CD、HTTPS证书颁发,基本覆盖常见的使用场景,最后祝各位独立开发者早日赚取第一桶金:)