Skip to content

Commit

Permalink
更新 HTTPS 证书申请相关的功能
Browse files Browse the repository at this point in the history
  • Loading branch information
EtherDream committed Jul 10, 2019
1 parent 01680ce commit 414e0ba
Show file tree
Hide file tree
Showing 6 changed files with 63 additions and 40 deletions.
12 changes: 0 additions & 12 deletions acme.conf

This file was deleted.

4 changes: 2 additions & 2 deletions docs/cert-auto.md
Original file line number Diff line number Diff line change
@@ -1,9 +1,9 @@
# 自动申请 HTTPS 证书

1.转发 80 端口到 10080 端口(需要 root 权限)
1.转发 80 端口到 8080 端口(需要 root 权限)

```bash
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j REDIRECT --to-ports 10080
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j REDIRECT --to-ports 8080
```

> 外部访问 http://服务器IP/.well-known/acme-challenge/test.txt 可验证是否正常。返回 `ok` 说明正常。
Expand Down
4 changes: 2 additions & 2 deletions docs/cert-manual.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,10 @@

3.文件保存到服务器 `~/server/acme/.well-known/acme-challenge/` 目录

4.转发 80 端口到 10080 端口(需要 root 权限)
4.转发 80 端口到 8080 端口(需要 root 权限)

```bash
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j REDIRECT --to-ports 10080
iptables -t nat -I PREROUTING 1 -p tcp --dport 80 -j REDIRECT --to-ports
```

当然也可以使用其他 Web 服务,只要该文件能被外部访问就可以。
Expand Down
77 changes: 54 additions & 23 deletions i.sh
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ gen_cert() {
continue
fi

if [[ ! $(grep -E "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+" <<< $ip) ]]; then
if ! grep -qP "^\d+\.\d+\.\d+\.\d+$" <<< $ip; then
warn "无效 IP:$ip"
continue
fi
Expand All @@ -81,8 +81,28 @@ gen_cert() {

local acme=~/.acme.sh/acme.sh

for i in ${DOMAIN_SUFFIX[@]}; do
local domain=$ip.$i
local domains=()

if [[ $@ ]]; then
for i in $@; do
domains+=($i)
done
else
warn "未指定域名,使用公共测试域名"
for i in ${DOMAIN_SUFFIX[@]}; do
domains+=($ip.$i)
done
fi

for domain in ${domains[@]}; do
echo "校验域名 $domain ..."

local ret=$(getent ahosts $domain | head -n1 | awk '{print $1}')
if [[ $ret != $ip ]]; then
err "域名 $domain 解析结果: $ret,非本机公网 IP: $ip"
continue
fi

log "尝试为域名 $domain 申请证书 ..."

local dist=server/cert/$domain
Expand Down Expand Up @@ -119,7 +139,7 @@ $url 'mysite';" >> server/allowed-sites.conf
break
fi

err "证书申请失败!"
err "证书申请失败!(80 端口是否添加到防火墙)"
rm -rf $dist
done
}
Expand Down Expand Up @@ -171,7 +191,9 @@ install() {
server/run.sh

log "服务已开启"
gen_cert

shift 1
gen_cert $@
}

main() {
Expand All @@ -187,39 +209,48 @@ main() {
exit 1
fi

if ! id -u jsproxy > /dev/null 2>&1 ; then
log "创建用户 jsproxy ..."
groupadd nobody > /dev/null 2>&1
useradd jsproxy -g nobody --create-home
local cmd
if [[ $0 == *"i.sh" ]]; then
warn "本地调试模式"

local dst=/home/jsproxy/i.sh
cp $0 $dst
chown jsproxy:nobody $dst
if [[ $1 == "-s" ]]; then
shift 1
fi
cmd="bash $dst install $@"
else
cmd="curl -s $SRC_URL/i.sh | bash -s install $@"
fi

warn "HTTPS 证书申请需要验证 80 端口,确保 TCP:80 已添加到防火墙"
warn "如果当前已有 80 端口的服务,将暂时无法收到数据"
iptables \
-m comment --comment "acme challenge svc" \
-t nat \
-I PREROUTING 1 \
-p tcp --dport 80 \
-j REDIRECT \
--to-ports 10080
--to-ports 8080

if ! id -u jsproxy > /dev/null 2>&1 ; then
log "创建用户 jsproxy ..."
groupadd nobody > /dev/null 2>&1
useradd jsproxy -g nobody --create-home
fi

log "切换到 jsproxy 用户,执行安装脚本 ..."
su - jsproxy -c "curl -s $SRC_URL/i.sh | bash -s install"
su - jsproxy -c "$cmd"

local line=$(iptables -t nat -L --line-numbers | grep "acme challenge svc")
local line=$(iptables -t nat -nL --line-numbers | grep "tcp dpt:80 redir ports 8080")
iptables -t nat -D PREROUTING ${line%% *}

log "安装完成。后续维护参考 https://github.com/EtherDream/jsproxy"
}


case $1 in
"install")
install;;
"cert")
gen_cert;;
*)
main;;
esac
if [[ $1 == "install" ]]; then
install $@
else
main $@
fi

} # this ensures the entire script is downloaded #
1 change: 0 additions & 1 deletion nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,6 @@ http {
include api.conf;
include www.conf;
}
include acme.conf;

# https://nginx.org/en/docs/http/ngx_http_core_module.html
resolver 1.1.1.1 ipv6=off;
Expand Down
5 changes: 5 additions & 0 deletions www.conf
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,8 @@ location / {
root ../www;
index 404.html;
}

# HTTPS 证书申请验证
location /.well-known/acme-challenge/ {
root ../acme;
}

0 comments on commit 414e0ba

Please sign in to comment.