前言
系统推荐:debian12
服务器要开放80端口
nginx版本1.25以上
一键脚本,不保证100%运行无错,推荐手动
curl -sS -O https://raw.githubusercontent.com/woniu336/open_shell/main/nginx-acme-manager.sh && chmod +x nginx-acme-manager.sh && ./nginx-acme-manager.sh
以下为手动操作
安装依赖
sudo apt update
sudo apt install -y build-essential libpcre3-dev zlib1g-dev libssl-dev pkg-config libclang-dev git wget curl
安装 Rust 工具链:
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source $HOME/.cargo/env
创建目录结构
mkdir -pv /app/nginx/{logs,conf,cache,acme} /app/nginx-build
cd /app/nginx-build
获取源码
下载 ACME 模块:
git clone https://github.com/nginx/nginx-acme.git /app/nginx-build/nginx-acme
下载并解压 NGINX 源码(推荐稳定版 1.28.0):
wget https://nginx.org/download/nginx-1.28.0.tar.gz
tar -zxf nginx-1.28.0.tar.gz
编译 NGINX + ACME 模块
大概5分钟
cd /app/nginx-build/nginx-1.28.0
./configure \
--prefix=/app/nginx \
--error-log-path=/app/nginx/logs/error.log \
--http-log-path=/app/nginx/logs/access.log \
--pid-path=/app/nginx/nginx.pid \
--lock-path=/app/nginx/nginx.lock \
--http-client-body-temp-path=/app/nginx/cache/client_temp \
--http-proxy-temp-path=/app/nginx/cache/proxy_temp \
--user=nginx \
--group=nginx \
--with-compat \
--with-file-aio \
--with-threads \
--with-http_realip_module \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_gzip_static_module \
--with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' \
--with-ld-opt='-Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie' \
--add-dynamic-module=/app/nginx-build/nginx-acme
make && make modules && make install
添加nginx用户
useradd -r -s /sbin/nologin nginx
创建目录结构
cd /app/nginx
mkdir -p logs cache/{client_temp,proxy_cache} acme/{letsencrypt,staging} conf/conf.d
chown -R nginx:nginx /app/nginx
全局nginx配置
路径:/app/nginx/conf/nginx.conf
注意:把123456@qq.com修改成自己的邮箱
nano /app/nginx/conf/nginx.conf
清除原本内容,粘贴
user nginx;
worker_processes auto;
worker_rlimit_nofile 65535;
error_log logs/error.log warn;
pid nginx.pid;
# ACME 模块
load_module modules/ngx_http_acme_module.so;
events {
worker_connections 4096;
multi_accept on;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
# 日志
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'rt=$request_time uct="$upstream_connect_time" '
'uht="$upstream_header_time" urt="$upstream_response_time"';
access_log logs/access.log main;
# 基础性能
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65s 60s;
keepalive_requests 1000;
reset_timedout_connection on;
# === 客户端请求体配置 ===
client_max_body_size 100m;
client_body_buffer_size 256k;
client_body_timeout 30s;
# === 客户端请求头配置 ===
client_header_buffer_size 4k;
large_client_header_buffers 4 16k;
client_header_timeout 10s;
# === 临时文件路径 ===
client_body_temp_path cache/client_temp;
# === 防止慢速攻击 ===
client_body_in_single_buffer off;
# Gzip
gzip on;
gzip_vary on;
gzip_proxied any;
gzip_comp_level 6;
gzip_min_length 1024;
gzip_buffers 16 8k;
gzip_types
text/plain
text/css
application/json
application/javascript
application/xml+rss
application/rss+xml
application/atom+xml
application/xhtml+xml
font/truetype
font/opentype
application/vnd.ms-fontobject
image/svg+xml;
gzip_disable "msie6";
# DNS
resolver 8.8.8.8 1.0.0.1 valid=300s ipv6=off;
resolver_timeout 5s;
# 全局代理头(所有站点都生效)
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_hide_header X-Powered-By;
proxy_hide_header Server;
# 隐藏 Nginx 版本号
server_tokens off;
# ACME
acme_shared_zone zone=acme_shared:2M;
acme_issuer letsencrypt {
uri https://acme-v02.api.letsencrypt.org/directory;
contact mailto:123456@qq.com;
state_path acme/letsencrypt;
accept_terms_of_service;
}
# SSL
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384';
ssl_prefer_server_ciphers off;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_buffer_size 4k;
# 全局限流(保持)
limit_req_zone $binary_remote_addr zone=req_limit:10m rate=200r/s;
limit_req zone=req_limit burst=300;
limit_req_status 429;
limit_conn_zone $binary_remote_addr zone=conn_limit:10m;
limit_conn conn_limit 100;
limit_conn_status 429;
# HTTP → HTTPS 跳转
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
include conf.d/*.conf;
}
站点配置
站点路径:/app/nginx/conf/conf.d
把6.6.6.6:80,改成你要反代的源站ip和端口
2345_com是上游服务器(源站)名称,每个站点不一样,避免冲突,
backup是备用服务器的意思,源站挂了,备用顶上,需要的话移除注释
证书目录 /app/nginx/acme/letsencrypt
示例:2345.com, www.2345.com, 根域跳转到www
nano /app/nginx/conf/conf.d/2345.com.conf
粘贴以下内容
upstream 2345_com {
server 6.6.6.6:80;
#server 3.2.3.8:80 backup;
keepalive 32;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name 2345.com www.2345.com;
# 根域名跳转
if ($host = 2345.com) {
return 301 https://www.2345.com$request_uri;
}
access_log logs/2345.com-access.log;
error_log logs/2345.com-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://2345_com;
proxy_http_version 1.1;
# 代理超时与重试
proxy_connect_timeout 5s;
proxy_send_timeout 15s;
proxy_read_timeout 15s;
proxy_next_upstream error timeout http_502 http_503 http_504;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /app/nginx/html;
internal;
}
}
查看证书:
cd /app/nginx
tree acme/ modules/
需要安装tree
apt-get update && apt-get install -y tree
单域名没有跳转配置
示例:
upstream tv_2345_com {
server 6.6.6.6:80;
#server 3.2.3.8:80 backup;
keepalive 32;
}
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name tv.2345.com;
access_log logs/tv.2345.com-access.log;
error_log logs/tv.2345.com-error.log warn;
acme_certificate letsencrypt;
ssl_certificate $acme_certificate;
ssl_certificate_key $acme_certificate_key;
ssl_certificate_cache max=2;
# 安全头
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000" always;
location / {
proxy_pass http://tv_2345_com;
proxy_http_version 1.1;
# 代理超时与重试
proxy_connect_timeout 5s;
proxy_send_timeout 15s;
proxy_read_timeout 15s;
proxy_next_upstream error timeout http_502 http_503 http_504;
}
location ~ /\. {
deny all;
access_log off;
log_not_found off;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /app/nginx/html;
internal;
}
}
验证和重载
验证配置文件语法
cd /app/nginx/
./sbin/nginx -c conf/nginx.conf -t
提示以下信息正确
nginx: the configuration file /app/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /app/nginx/conf/nginx.conf test is successful
启动,如果已经启动会提示Address already in use
cd /app/nginx/
./sbin/nginx -c conf/nginx.conf
配置变更后重载
cd /app/nginx/
./sbin/nginx -c conf/nginx.conf -s reload
禁止IP访问
已使用更简洁的方法,以下方式仅供参考。
生成自签名证书
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 \
-keyout /app/nginx/conf/default_ssl.key \
-out /app/nginx/conf/default_ssl.crt \
-subj "/C=CN/ST=State/L=City/O=Org/CN=_"
修改nginx全局配置
nano /app/nginx/conf/nginx.conf
修改结尾部分
# HTTP → HTTPS 跳转
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
location / {
return 301 https://$host$request_uri;
}
}
# 禁止 IP 直接访问(HTTPS)
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
http2 on;
server_name _;
ssl_certificate /app/nginx/conf/default_ssl.crt;
ssl_certificate_key /app/nginx/conf/default_ssl.key;
return 444;
}
include conf.d/*.conf;
}
最后重载生效
cd /app/nginx/
./sbin/nginx -c conf/nginx.conf -s reload
验证
cd /app/nginx/
./sbin/nginx -c conf/nginx.conf -t