修改nginx的配置使得在反向代理的情况下也能完成acme.sh自动免费签发ssl证书

924 阅读1分钟
server {
  listen  443 ssl;
  listen       [::]:443 ssl;
  ssl_certificate       /data/example.com.pem;
  ssl_certificate_key   /data/example.com.pem;
  ssl_protocols         TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers           HIGH:!aNULL:!MD5;
  server_name           example.com;
  client_max_body_size    1000m;
  location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        allow all;
        root /var/www/example.com/;
   }

  location / { 
        proxy_redirect off;
        proxy_pass http://xxxxxxx:8000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;

       
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

  }

主要起作用的是 location ^~ /.well-known/acme-challenge/ ,acme在认证的时候会使用这个目录,我们在签发证书的时候使用以下参数即可:

acme.sh --issue -d example.com -w /home/wwwroot/example.com