申请证书
#nginx -s stop
systemctl stop nginx
apt-get install socat curl cron
curl https://get.acme.sh | sh
~/.acme.sh/acme.sh --set-default-ca --server letsencrypt
~/.acme.sh/acme.sh --issue -d www.kkiikk.top --standalone -k ec-256 --force --test
rm -rf ~/.acme.sh/www.kkiikk.top_ecc
以上是测试
~/.acme.sh/acme.sh --issue -d www.kkiikk.top --standalone -k ec-256 --force
mkdir /etc/nginx/ssl/
~/.acme.sh/acme.sh --installcert -d www.kkiikk.top --fullchainpath /etc/nginx/ssl/www.kkiikk.top.crt --keypath /etc/nginx/ssl/www.kkiikk.top.key --ecc --force
webdav配置
编辑/etc/nginx/conf/nginx.conf
nano /etc/nginx/conf/nginx.conf
在nginx.conf
中加入以下内容
user root;
worker_processes auto;
error_log /etc/nginx/error.log warn;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/conf/mime.types; #注意路径,必须写,否则可能造成css无法加载
default_type application/octet-stream;
log_format main '\$remote_addr - \$remote_user [\$time_local] "\$request" '
'\$status \$body_bytes_sent "\$http_referer" '
'"\$http_user_agent" "\$http_x_forwarded_for"';
access_log /etc/nginx/access.log main;
sendfile on;
#tcp_nopush on;
keepalive_timeout 120;
client_max_body_size 20m;
#gzip on;
include /etc/nginx/conf.d/*.conf;
}
编辑/etc/nginx/conf.d/dav.conf
mkdir /etc/nginx/conf.d/
nano /etc/nginx/conf.d/dav.conf
在dav.conf
中加入以下内容
server {
listen 443 ssl;
listen [::]:443 ssl; #没有ipv6的话要注释掉这行
ssl_certificate /etc/nginx/ssl/www.kkiikk.top.crt;
ssl_certificate_key /etc/nginx/ssl/www.kkiikk.top.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
server_name www.kkiikk.top;
#index index.html index.htm;
#root /html;
#error_page 400 = /400.html;
location / { #如果是location /,下面应写成alias /html/
# 设置使用utf-8编码,防止中文文件名乱码
charset utf-8;
# alias /html/,修改为网盘文件夹的路径;
alias /html/;
autoindex on;
dav_methods PUT DELETE MKCOL COPY MOVE;
# 需要 nginx-dav-ext-module 才有下面的选项
dav_ext_methods PROPFIND OPTIONS;
create_full_put_path on;
dav_access user:rw group:r all:r;
# 使用者认证
auth_basic "登录";
# 使用者身份档案位置
auth_basic_user_file /etc/nginx/.passwords.list;
# 关闭详细文件大小统计,让文件大小显示MB,GB单位,默认为b;
autoindex_exact_size off;
}
# Config for 0-RTT in TLSv1.3
ssl_early_data on;
ssl_stapling on;
ssl_stapling_verify on;
proxy_set_header Early-Data $ssl_early_data;
add_header Strict-Transport-Security "max-age=31536000";
}
server {
listen 80;
listen [::]:80; #没有ipv6的话要注释掉这行
server_name www.kkiikk.top;
return 301 https://www.kkiikk.top$request_uri;
}
注意,Mix
只支持TLSv1.2
设置用户和密码
echo -n 'admin:' | tee -a /etc/nginx/.passwords.list
#注意admin后面的:不能漏掉,admin可以改成任意用户名
openssl passwd -apr1 | tee -a /etc/nginx/.passwords.list
#输入命令之后会出现提示输入密码
重启nginx
systemctl restart nginx
在其他vps上的转发配置
server {
listen 443 ssl http2;
listen [::]:443 http2;
#listen 0.0.0.0:443;
#listen [::]:443;
#ssl on;
ssl_certificate /etc/nginx/ssl/bw4.kkiikk.top.crt;
ssl_certificate_key /etc/nginx/ssl/bw4.kkiikk.top.key;
ssl_protocols TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
server_name bw4.kkiikk.top;
#index index.html index.htm;
#root /html/;
#error_page 400 = /400.html;
location / {
proxy_redirect off;
proxy_pass https://www.kkiikk.top;
#proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
client_max_body_size 1024m;
}
# Config for 0-RTT in TLSv1.3
ssl_early_data on;
ssl_stapling on;
ssl_stapling_verify on;
proxy_set_header Early-Data $ssl_early_data;
add_header Strict-Transport-Security "max-age=31536000";
}
server {
listen 80;
listen [::]:80;
server_name bw4.kkiikk.top;
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
location / {
proxy_pass https://www.kkiikk.top;
proxy_set_header X-Real_IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
proxy_pass_header Set-Cookie;
proxy_pass_header X-CSRF-TOKEN;
}
}