setup_https_full.sh 3.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110
  1. #!/bin/bash
  2. SERVER_IP="45.61.60.10"
  3. SERVER_USER="root"
  4. SERVER_PASS="UQb9TgSwC@vwhEM"
  5. # 1. 编写完整的 Nginx HTTPS 配置文件 (预备)
  6. # 注意:证书路径暂时写死为 Let's Encrypt 标准路径
  7. cat > ccdw_full.conf <<EOF
  8. server {
  9. listen 80;
  10. server_name ccdw.xyz www.ccdw.xyz;
  11. # 强制跳转到 HTTPS
  12. return 301 https://\$host\$request_uri;
  13. }
  14. server {
  15. listen 443 ssl;
  16. server_name ccdw.xyz www.ccdw.xyz;
  17. # 证书路径 (稍后由 certbot 生成)
  18. ssl_certificate /etc/letsencrypt/live/ccdw.xyz/fullchain.pem;
  19. ssl_certificate_key /etc/letsencrypt/live/ccdw.xyz/privkey.pem;
  20. # SSL 优化配置
  21. ssl_session_timeout 5m;
  22. ssl_protocols TLSv1.2 TLSv1.3;
  23. ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
  24. ssl_prefer_server_ciphers off;
  25. # 日志
  26. access_log /var/log/nginx/ccdw.xyz.log;
  27. error_log /var/log/nginx/ccdw.xyz.error.log;
  28. # 反向代理到 Node.js (3001)
  29. location / {
  30. proxy_pass http://127.0.0.1:3001;
  31. proxy_http_version 1.1;
  32. proxy_set_header Upgrade \$http_upgrade;
  33. proxy_set_header Connection 'upgrade';
  34. proxy_set_header Host \$host;
  35. proxy_set_header X-Real-IP \$remote_addr;
  36. proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
  37. proxy_set_header X-Forwarded-Proto \$scheme;
  38. }
  39. }
  40. EOF
  41. # 2. 上传配置文件
  42. /usr/bin/expect <<EOF
  43. set timeout 30
  44. spawn scp -o StrictHostKeyChecking=no ccdw_full.conf $SERVER_USER@$SERVER_IP:/tmp/ccdw_full.conf
  45. expect {
  46. "password:" { send "$SERVER_PASS\r" }
  47. "yes/no" { send "yes\r"; exp_continue }
  48. }
  49. expect eof
  50. EOF
  51. # 3. SSH 执行:安装证书并应用配置
  52. /usr/bin/expect <<EOF
  53. set timeout 300
  54. spawn ssh -o StrictHostKeyChecking=no $SERVER_USER@$SERVER_IP
  55. expect {
  56. "password:" { send "$SERVER_PASS\r" }
  57. "yes/no" { send "yes\r"; exp_continue }
  58. }
  59. expect "#"
  60. send "echo '--- 1. INSTALLING CERTBOT ---'\r"
  61. # 尝试安装 certbot (Debian/Ubuntu)
  62. send "apt-get update && apt-get install -y certbot\r"
  63. send "echo '--- 2. STOPPING NGINX FOR AUTH ---'\r"
  64. # 停止 Nginx 以释放 80 端口供 Certbot 使用
  65. send "systemctl stop nginx\r"
  66. # 确保进程已杀掉
  67. send "killall nginx 2>/dev/null\r"
  68. send "echo '--- 3. REQUESTING CERTIFICATE ---'\r"
  69. # 申请证书
  70. send "certbot certonly --standalone -d ccdw.xyz -d www.ccdw.xyz --email bob.yuxinyang@gmail.com --agree-tos --non-interactive\r"
  71. send "echo '--- 4. APPLYING NGINX CONFIG ---'\r"
  72. # 检查证书是否生成成功
  73. send "if test -f /etc/letsencrypt/live/ccdw.xyz/fullchain.pem; then \
  74. echo 'Certificate verified. Applying config...'; \
  75. mv /tmp/ccdw_full.conf /etc/nginx/sites-available/ccdw.xyz.conf; \
  76. ln -sf /etc/nginx/sites-available/ccdw.xyz.conf /etc/nginx/sites-enabled/ccdw.xyz.conf; \
  77. else \
  78. echo 'ERROR: Certificate generation failed!'; \
  79. rm /etc/nginx/sites-available/ccdw.xyz.conf 2>/dev/null; \
  80. rm /etc/nginx/sites-enabled/ccdw.xyz.conf 2>/dev/null; \
  81. fi\r"
  82. send "echo '--- 5. RESTARTING NGINX ---'\r"
  83. send "nginx -t && systemctl start nginx\r"
  84. send "echo '--- 6. VERIFYING ---'\r"
  85. send "netstat -tulpn | grep nginx\r"
  86. # 发送一个测试请求看是否返回 200 (通过代理)
  87. send "curl -I https://ccdw.xyz\r"
  88. send "exit\r"
  89. expect eof
  90. EOF
  91. # 清理本地文件
  92. rm ccdw_full.conf