| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109 |
- #!/bin/bash
- SERVER_IP="47.253.147.187"
- SERVER_USER="root"
- SERVER_PASS="5H0FuZ:2s0q)Lx"
- # 1. 编写完整的 Nginx HTTPS 配置文件 (预备)
- # 注意:证书路径暂时写死为 Let's Encrypt 标准路径
- cat > ccdw_full.conf <<EOF
- server {
- listen 80;
- server_name ccdw.xyz www.ccdw.xyz;
- # 强制跳转到 HTTPS
- return 301 https://\$host\$request_uri;
- }
- server {
- listen 443 ssl;
- server_name ccdw.xyz www.ccdw.xyz;
- # 证书路径 (稍后由 certbot 生成)
- ssl_certificate /etc/letsencrypt/live/ccdw.xyz/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/ccdw.xyz/privkey.pem;
- # SSL 优化配置
- ssl_session_timeout 5m;
- ssl_protocols TLSv1.2 TLSv1.3;
- ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
- ssl_prefer_server_ciphers off;
- # 日志
- access_log /www/wwwlogs/ccdw.xyz.log;
- error_log /www/wwwlogs/ccdw.xyz.error.log;
- # 反向代理到 Node.js (3001)
- location / {
- proxy_pass http://127.0.0.1:3001;
- proxy_http_version 1.1;
- proxy_set_header Upgrade \$http_upgrade;
- proxy_set_header Connection 'upgrade';
- proxy_set_header Host \$host;
- proxy_set_header X-Real-IP \$remote_addr;
- proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto \$scheme;
- }
- }
- EOF
- # 2. 上传配置文件
- /usr/bin/expect <<EOF
- set timeout 30
- spawn scp -o StrictHostKeyChecking=no ccdw_full.conf $SERVER_USER@$SERVER_IP:/tmp/ccdw_full.conf
- expect {
- "password:" { send "$SERVER_PASS\r" }
- "yes/no" { send "yes\r"; exp_continue }
- }
- expect eof
- EOF
- # 3. SSH 执行:安装证书并应用配置
- /usr/bin/expect <<EOF
- set timeout 300
- spawn ssh -o StrictHostKeyChecking=no $SERVER_USER@$SERVER_IP
- expect {
- "password:" { send "$SERVER_PASS\r" }
- "yes/no" { send "yes\r"; exp_continue }
- }
- expect "#"
- send "echo '--- 1. INSTALLING CERTBOT ---'\r"
- # 尝试安装 certbot (Debian/Ubuntu)
- send "apt-get update && apt-get install -y certbot\r"
- send "echo '--- 2. STOPPING NGINX FOR AUTH ---'\r"
- # 停止 Nginx 以释放 80 端口供 Certbot 使用
- send "/etc/init.d/nginx stop\r"
- # 确保进程已杀掉
- send "killall nginx 2>/dev/null\r"
- send "echo '--- 3. REQUESTING CERTIFICATE ---'\r"
- # 申请证书
- send "certbot certonly --standalone -d ccdw.xyz -d www.ccdw.xyz --email bob.yuxinyang@gmail.com --agree-tos --non-interactive\r"
- send "echo '--- 4. APPLYING NGINX CONFIG ---'\r"
- # 检查证书是否生成成功
- send "if [ -f /etc/letsencrypt/live/ccdw.xyz/fullchain.pem ]; then \
- echo 'Certificate verified. Applying config...'; \
- mv /tmp/ccdw_full.conf /www/server/panel/vhost/nginx/ccdw.xyz.conf; \
- else \
- echo 'ERROR: Certificate generation failed!'; \
- rm /www/server/panel/vhost/nginx/ccdw.xyz.conf 2>/dev/null; \
- fi\r"
- send "echo '--- 5. RESTARTING NGINX ---'\r"
- send "/etc/init.d/nginx start\r"
- send "nginx -t\r"
- send "echo '--- 6. VERIFYING ---'\r"
- send "netstat -tulpn | grep nginx\r"
- # 发送一个测试请求看是否返回 200 (通过代理)
- send "curl -I https://ccdw.xyz\r"
- send "exit\r"
- expect eof
- EOF
- # 清理本地文件
- rm ccdw_full.conf
|