请问这个conf写的是否有问题。
请问conf是否有问题,证书是否会自动更新?我将真实的域名改成了domain.com,由于是反向代理,没有写rootserver {
listen 80;
server_name lbs.domain.com;
return 301 https://lbs.domain.com$request_uri;
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name lbs.domain.com;
ssl_certificate /usr/local/nginx/conf/ssl/lbs.domain.com/fullchain.cer;
ssl_certificate_key /usr/local/nginx/conf/ssl/lbs.domain.com/lbs.domain.com.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
ssl_session_timeout 10m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_buffer_size 1400;
add_header Strict-Transport-Security max-age=15768000;
ssl_stapling on;
ssl_stapling_verify on;
ssl_dhparam /usr/local/nginx/conf/ssl/dhparam.pem;
#error_page 404 /404.html;
#error_page 502 /502.html;
error_page 404 /404.html;
proxy_intercept_errors on;
location ^~ /serve/mailbox {
proxy_pass http://127.0.0.1:9000 ;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
proxy_buffer_size 64k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
}
location / {
allow 94.130.110.79;
allow 47.242.250.196;
deny all;
proxy_pass http://127.0.0.1:9000 ;
proxy_http_version 1.1;
proxy_cache_bypass $http_upgrade;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto$scheme;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
proxy_buffer_size 64k;
proxy_buffers 32 32k;
proxy_busy_buffers_size 128k;
}
location =/robots.txt {
default_type text/html;
add_header Content-Type "text/plain; charset=UTF-8";
return 200 "User-Agent: *\nDisallow: /";
}
location ~ /.well-known {
allow all;
}
access_log off;
}
没设置root这个样子没法续期,如果使用的域名服务商有在支持的列表中,可以使用api方式生成ssl并续期
要用http验证的话就需要在80的server段301前面加上
location ~ /.well-known {
root /home/wwwroot/域名
allow all;
}
301按 https://lnmp.org/faq/lnmp-nginx-301-rewrite.html 这个教程强制301设置
页:
[1]