摘要：如果綁定七牛云空間的域名能使用等這類免費(fèi)的網(wǎng)址那么就完美了。然而七牛目前并不支持這類短期的免費(fèi)證書。下面我教大家一種利用實(shí)現(xiàn)以的方式訪問七牛資源的方法。七牛云空間應(yīng)該已經(jīng)綁定了自定義的域名，不懂如何綁定的請(qǐng)查看前一篇文章。

上一篇文章 為七牛云存儲(chǔ)空間綁定自定義域名，并使用七牛云提供的免費(fèi)SSL證書，將自定義加名升級(jí)為HTTPS 我們提到利用七牛的免費(fèi)SSL證書，將自定義加名升級(jí)為HTTPS的方法。

不知道有沒有小伙伴會(huì)像我一樣擔(dān)心一年七牛的SSL證書不免費(fèi)了怎么辦？每個(gè)域名每年都要幾千塊的支出對(duì)于個(gè)人和小企業(yè)來說還是一筆不小的數(shù)目。

如果綁定七牛云空間的域名能使用 lets‘encrypt 等這類免費(fèi)的網(wǎng)址那么就完美了。
然而七牛目前并不支持 lets"encrypt 這類短期的免費(fèi)證書。

下面我教大家一種利用 Nginx + lets"encrypt 實(shí)現(xiàn)以https的方式訪問七牛資源的方法。

首先聲明，使用這種方法相當(dāng)于主動(dòng)放棄了七牛云存儲(chǔ)的CDN優(yōu)勢(shì)，只適合訪問量不高的個(gè)人和小公司。

要有一個(gè)域名。

七牛云空間應(yīng)該已經(jīng)綁定了自定義的域名，不懂如何綁定的請(qǐng)查看前一篇文章。筆者綁定的域名是 md.ws65535.top。

有一臺(tái)帶公網(wǎng)IP的Linux服務(wù)器。筆者服務(wù)器IP為 54.191.48.61，Linux環(huán)境為 ubuntu14.04。其他發(fā)行版原理相同，只不過軟件安裝方式和目錄結(jié)構(gòu)略有不同。

ubuntu@ip-172-31-27-111:~$ sudo apt-get install nginx

ubuntu@ip-172-31-27-111:~$ nginx -v
nginx version: nginx/1.4.6 (Ubuntu)

ubuntu@ip-172-31-27-111:~$ sudo service nginx start

ubuntu@ip-172-31-27-111:~$ ss -tln
State      Recv-Q Send-Q               Local Address:Port                 Peer Address:Port
LISTEN     0      128                              *:80                    *:*
LISTEN     0      128                              *:22                    *:*
LISTEN     0      128                             :::80                    :::*
LISTEN     0      128                             :::22                    :::*

ubuntu@ip-172-31-27-111:~$ curl http://54.191.48.61







Welcome to nginx!
If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.

For online documentation and support please refer to
nginx.org.

Commercial support is available at
nginx.com.

Thank you for using nginx.

server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }
}

編輯完成后使用 nginx -s reload 重新載入Nginx配置文件。

記錄類型為 A，主機(jī)記錄為 qiniu-ssl.ws65535.top，服務(wù)器IP為 54.191.48.61

例如
http://qiniu-ssl.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg
可以訪問到下面的資源
http://md.ws65535.top/xsj/2018_8_6_2018-08-06_181854.jpg

此處只記錄ubuntu14.04安裝方法

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install python-certbot-nginx 

$ sudo certbot --nginx

ubuntu@ip-172-31-27-111:~$ sudo certbot --nginx
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: agency.ws65535.xyz
2: qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter "c" to cancel): 2 #此處選擇將 qiniu-ssl.ws65535.top 設(shè)為https
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for qiniu-ssl.ws65535.top
Waiting for verification...
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/nginx/sites-enabled/qiniu-ssl

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you"re confident your site works on HTTPS. You can undo this
change by editing your web server"s configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press "c" to cancel): 2 #是否強(qiáng)制將http方式訪問的請(qǐng)求跳轉(zhuǎn)到以HTTPS方式訪問
Redirecting all traffic on port 80 to ssl in /etc/nginx/sites-enabled/qiniu-ssl

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://qiniu-ssl.ws65535.top

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=qiniu-ssl.ws65535.top
-------------------------------------------------------------------------------

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem
   Your cert will expire on 2018-11-04. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let"s Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

ubuntu@ip-172-31-27-111:~$ cat /etc/nginx/sites-enabled/qiniu-ssl
server {
    server_name qiniu-ssl.ws65535.top;

    location / {
        proxy_pass http://md.ws65535.top;
    }


    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/qiniu-ssl.ws65535.top/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/qiniu-ssl.ws65535.top/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = qiniu-ssl.ws65535.top) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    server_name qiniu-ssl.ws65535.top;
    listen 80;
    return 404; # managed by Certbot
}

sudo vim /etc/crontab

# 每月自動(dòng)更新ssl證書
19 3 1 * * root /usr/bin/certbot renew --dry-run