Let's Encrypt SSL 证书和or的整合

whs860603 · 2019-12-25T13:48:06+00:00
moonjit解决，结帖！在 2019年12月23日星期一 UTC+8下午12:02:49&#xFF0C...
Let's Encrypt SSL 证书和or的整合

whs860603

我host有3个后台运行的container 是监听文件 unix sock这种不是暴露80端口这种我用curl --unix-socket /var/discourse/shared/bbs/nginx.http.sock http:/images/json 测试是运行正常的，
找了好几个 ssl的库包括https://github.com/jxskiss/ssl-cert-server/ https://github.com/GUI/lua-resty-auto-ssl 都卡住了 conf文件是这样的
有热心肠的可以推荐一个思路
events {
    worker_connections 1024;
}

http {
#    include       mime.types;
    default_type  application/octet-stream;

    lua_shared_dict ssl_certs_cache 1m;

    init_by_lua_block {
        -- Define a funcction to determine which SNI domains to automatically
        -- handle and register new certificates for. Defaults to not allowing
        -- any domain, so this must be configured.
        function allow_domain(domain)
            if  ngx.re.match(domain, "(antivte.com|bbs.antivte.com|ytb.antivte.com|cp.antivte.com)", "ijo") then 
                return true
            end
            return false
        end

        -- Initialize backend certificate server instance.
        cert_server = (require "resty.ssl-cert-server").new({
            backend = '127.0.0.1:8999',
            allow_domain = allow_domain
        })
    }

    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
#        listen 8443 ssl;

        server_name bbs.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;


        location / {
                proxy_pass http://unix:/var/discourse/shared/bbs/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

    # HTTP Server
    server {
        listen 80;
        server_name bbs.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }


    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
#        listen 8443 ssl;

        server_name ytb.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;

        location / {
                proxy_pass http://unix:/var/discourse/shared/ytb/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }        
    }

    # HTTP Server
    server {
        listen 80;
        server_name ytb.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }
 
    # HTTPS Server
    server {
        listen 443 ssl;

        # Works also with non-default HTTPS port.
#        listen 8443 ssl;

        server_name cp.antivte.com;  # <-- change this

        # Dynamic handler for issuing or returning certs for SNI domains.
        ssl_certificate_by_lua_block {
            cert_server:ssl_certificate()
        }

        # Fallback certificate required by nginx, self-signed is ok.
        # openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 \
        #   -subj '/CN=sni-support-required-for-valid-ssl' \
        #   -keyout /etc/nginx/certs/fallback-self-signed.key \
        #   -out /etc/nginx/certs/fallback-self-signed.crt
        ssl_certificate /etc/nginx/certs/fallback-self-signed.crt;
        ssl_certificate_key /etc/nginx/certs/fallback-self-signed.key;

        location / {
                proxy_pass http://unix:/var/discourse/shared/cp/nginx.http.sock:;
                proxy_set_header Host $http_host;
                proxy_http_version 1.1;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header X-Real-IP $remote_addr;
        }
    }

    # HTTP Server
    server {
        listen 80;
        server_name cp.antivte.com;  # <-- change this
        return 301 https://$host$request_uri;

        # Endpoint used for performing domain verification with Let's Encrypt.
        location /.well-known/acme-challenge/ {
            content_by_lua_block {
                cert_server:challenge_server()
            }
        }
    }   
}
   