前言 在上一篇文章逃离Vercel - Next.js应用自托管(https证书) 中,我们已经介绍了如何在服务器上部署Next.js应用,这里我们介绍如何加上HTTPS证书
准备工作
一台服务器(服务器可以在腾讯云、阿里云、DigitalOcean上购买),我这里买的是DigitalOcean的每月6$
nginx:用于反向代理,以CentOS为例,yum install nginx
,其他系统可以自行google,不再赘述
已参考上一篇文章完成HTTP域名配置,即通过http可访问域名
安装acme.sh acme.sh 实现了 acme 协议, 可以从 letsencrypt 生成免费的证书。
以下方式任选其一即可
在线安装
从git安装 1 2 3 git clone https://github.com/acmesh-official/acme.sh.git cd ./acme.sh ./acme.sh --install -m [email protected]
安装后运行acme.sh -h
如果出现类似提示说明安装成功
1 2 3 4 https://github.com/acmesh-official/acme.sh v3.0.8 Usage: acme.sh <command> ... [parameters ...] ...
生成证书 申请证书(申请时会测试域名配置,所以前一步必须填写正确)
1 2 # 默认为zerossl acme.sh --issue -d www.dir2ai.com --nginx --server letsencrypt
正常运行会返回如下提示
1 2 3 4 5 6 7 8 [Sat Jun 1 13:36:34 UTC 2024] Cert success. -----BEGIN CERTIFICATE----- xxxxxxxxx -----END CERTIFICATE----- [Sat Jun 1 13:36:34 UTC 2024] Your cert is in: /root/.acme.sh/www.dir2ai.com_ecc/www.dir2ai.com.cer [Sat Jun 1 13:36:34 UTC 2024] Your cert key is in: /root/.acme.sh/www.dir2ai.com_ecc/www.dir2ai.com.key [Sat Jun 1 13:36:34 UTC 2024] The intermediate CA cert is in: /root/.acme.sh/www.dir2ai.com_ecc/ca.cer [Sat Jun 1 13:36:34 UTC 2024] And the full chain certs is there: /root/.acme.sh/www.dir2ai.com_ecc/fullchain.cer
安装证书 为了方便管理,创建了一个专用文件夹用于存储https证书相关文件
1 2 3 4 5 6 DOMAIN=dir2ai mkdir -p /root/repo/www/${DOMAIN}/ acme.sh --install-cert -d www.${DOMAIN}.com \ --key-file /root/repo/www/${DOMAIN}/cert.key \ --fullchain-file /root/repo/www/${DOMAIN}/cert.fullchain \ --reloadcmd "service nginx force-reload"
nginx典型配置如下,修改server_name和ssl配置文件路径
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 server { listen 80; listen 443 ssl; server_name dir2ai.com; ssl_certificate /root/repo/www/dir2ai/cert.fullchain; ssl_certificate_key /root/repo/www/dir2ai/cert.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; return 301 https://www.dir2ai.com$request_uri; } server { listen 80; server_name www.dir2ai.com; return 301 https://www.dir2ai.com$request_uri; } server { listen 443 ssl; server_name www.dir2ai.com; ssl_certificate /root/repo/www/dir2ai/cert.fullchain; ssl_certificate_key /root/repo/www/dir2ai/cert.key; ssl_session_timeout 5m; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; # 根据实际情况看是否注释 # add_header 'Access-Control-Allow-Origin' '*'; location / { # 如果单机运行多个,需要按需进行端口适配修改 proxy_pass http://localhost:3000; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }
常见问题 遇到ERR_TOO_MANY_REDIRECTS错误 如果使用CloudFlare,遇到如下错误
1 2 3 This page isn’t workingwww.qa-go.com redirected you too many times. Try deleting your cookies. ERR_TOO_MANY_REDIRECTS
在SSL/TLS->Overview,将模式从Flexible切换至Full
小结 好了,至此自托管的主题介绍了如何在服务器部署实现Vercel的自动CI/CD、HTTPS证书颁发,基本覆盖常见的使用场景,最后祝各位独立开发者早日赚取第一桶金:)